Compliance with standards and regulations
When it comes to cloud computing, many organizations are concerned with compliance with standards and regulations, and many of the interesting types of applications that organizations would like to deploy to the cloud are often those governed by some form of regulatory standard. If you require additional information regarding your particular regulatory requirements, contact Acquia. This page summarizes Acquia's compliance with the following standards and regulations, both governmental and non-governmental:
- Federal Risk and Authorization Management Program (FedRAMP)
- Federal Information Security Management Act (FISMA)
- Cloud Security Alliance (CSA) Security, Trust and Assurance Registry (STAR)
- SSAE 16 SOC1 (SAS 70)
- Safe Harbor
- EU cookie regulations
- Payment Card Industry Data Security Standard (PCI DSS)
- Section 508
FedRAMP is an important government compliance objective for Acquia Cloud. FedRAMP is meant to supersede both the FISMA and DIACAP Certification and Accreditation (C&A) process for federal agencies that use cloud service providers like Acquia. The FedRAMP process builds on the work Acquia has done for FISMA and DIACAP. FedRAMP adds additional controls pertinent to a cloud service provider as specified by NIST.
Acquia is in the process of pursuing an Agency Authorization under FedRAMP for Acquia Cloud, our Drupal hosting PaaS platform, working with the U.S. Department of Transportation. LunarLine has been approved as our authorized third-party assessment firm (3PAO). All U.S. government agencies can leverage the Acquia Agency Authorization to evaluate Acquia Cloud for their applications, provide authorizations to use Acquia Cloud, and migrate sites to the Acquia Cloud platform.
Acquia Cloud is built on Amazon AWS and thus inherits Infrastructure layer controls from Amazon. Separately, Amazon AWS has received FedRAMP authorization for the Infrastructure layer.
Acquia enables US government agencies to achieve and sustain compliance with the Federal Information Security Management Act (FISMA). The Acquia platform has been evaluated by independent assessors for a variety of government systems as part of their system owners’ approval process. Numerous Federal organizations have successfully achieved security authorizations for systems hosted on AWS in accordance with the Risk Management Framework (RMF) process defined in NIST 800-37. Acquia's secure platform has helped federal agencies expand cloud computing use cases and deploy sensitive government data and applications in the cloud, while complying with the rigorous security requirements of federal standards.
The CSA is a not-for-profit organization with a mission to promote the use of best practices for providing security assurance within Cloud Computing and to provide education on the uses of Cloud Computing to help secure all other forms of computing. The CSA is led by a broad coalition of industry practitioners, corporations, associations, and other key stakeholders.
CSA's STAR is a free, publicly accessible registry that documents the security controls provided by cloud computing offerings, thereby helping organizations assess the security of cloud providers they currently use or are considering contracting with. Acquia has completed and published its Consensus Assessments Initiative Questionnaire (CAIQ), which provides industry-accepted ways to document the security controls in our PaaS (platform as a service) offering. The CAIQ provides a set of over 140 questions that a cloud consumer and cloud auditor may wish to ask of a cloud provider.
Acquia's CAIQ is available for download from the CSA STAR registry.
The Statement on Auditing Standards No. 70 (SAS 70) is an auditing standard issued by the Auditing Standards Board of the American Institute of Certified Public Accountants (AICPA) that provides guidance to auditors who assess the internal controls of a service provider in order to produce an independent audit report. SAS 70 has been replaced by the Statements on Standards for Attestation Engagements No. 16 (SSAE 16) as of 2011.
The AWS data center environment has received a favorable opinion on the state of its internal control environment based on its SAS 70/SSAE 16 auditors. AWS conducts SSAE 16 Service Organization Controls 1 (SOC 1), Type 2 audits annually. Acquia's customers and prospective customers may obtain an electronic copy of Amazon's audit report for their due diligence.
Acquia completed its first SSAE 16 SOC 1 Type I examination in June 2012 covering its corporate controls and Acquia Cloud Enterprise completed its first SOC 1 Type 2 audit in March 2013. Acquia will continue to conduct annual SSAE 16 SOC 1 Type 2 audits going forward. Acquia is happy to provide the SOC 1 examination reports to our customers and prospective customers.
Safe Harbor is a certification program run by the US Department of Commerce that aims to harmonize data privacy practices between the US and the stricter privacy regulations of the European Union (EU). Acquia was registered with the Safe Harbor program on February 7, 2012. To view Acquia's certification with Safe Harbor, see http://safeharbor.export.gov/companyinfo.aspx?id=22159.
Drupal sites, like the vast majority of websites, make use of session cookies and may employ other types of cookies. Acquia's customers should consult with their legal counsel as to whether their website is required to implement consent before storing cookies on customer devices that serve EU users. Acquia can work with its customers to implement technical solutions, including modules or custom code, in order to satisfy the requirements from the customers' legal counsel.
PCI compliance applies to any organization that stores, transmits, or transacts credit card data. PCI compliance is important; failure to become PCI compliant may expose your businesses to legal and financial liabilities. The Payment Card Industry Data Security Standard (PCI DSS) is a multifaceted security standard that includes requirements for security management, policies, procedures, network architecture, software design, and other critical protective measures. This comprehensive standard helps organizations proactively protect customer account data.
The majority of Acquia Cloud sites with e-commerce capabilities use third-party credit card processors, embedding the secure payment form code within their site so that credit card data is sent directly from the end user to the credit card processor. Because credit card data is not stored on the site that implements e-commerce in this way, the PCI compliance requirements are minimized.
Acquia Cloud provides a PCI-compliant platform foundation for building PCI certified Drupal sites. Both Acquia Cloud and Amazon Web Services have been QSA validated as complying with standards applicable to a Level 1 service provider under PCI - DSS Version 2.0.
For more on Amazon’s PCI accreditation, see http://aws.amazon.com/compliance/pci-dss-level-1-faqs/.For an overview of what PCI responsibilities Acquia ensures and your responsibilities regarding PCI compliance, see Achieving PCI Compliance for Your Site in Acquia Cloud.
As a merchant, Acquia does not store its customers' credit card data when customers use credit cards to procure its services. Acquia has a completed a PCI Self-Assessment Questionnaire C (SAQ C) on file and is certified quarterly by SecurityMetrics.
Acquia abides by all privacy laws and regulations that are applicable to our hosting services and to our customers that host sites that may contain personal information on Acquia Cloud. Acquia personnel have logical access to customer data stored in customer sites only if they are authorized and have a need for access due to their job function. Neither Amazon nor any other third party employed by Acquia has logical access to customer data housed in customer sites hosted on Acquia Cloud. Acquia does not transfer customer data hosted on Acquia Cloud outside of Acquia Cloud or to any third party without customer authorization.
Customers must ensure that privacy concerns and regulations are addressed and adhered to at the application layer where customer personnel may have logical access to personal information uploaded or stored in customer sites.
In 1998, the US Rehabilitation Act was amended to require federal agencies to make their electronic and information technology accessible to people with disabilities. Section 508 was enacted to eliminate barriers in information technology, to make new opportunities available for people with disabilities, and to encourage development of technologies that will help achieve these goals. The law applies to all federal agencies when they develop, procure, maintain, or use electronic and information technology.
Drupal has been used to create many Section 508-compliant web sites. For more information on how to ensure Section 508 compliance for your Drupal site, see our white paper on this topic: https://www.acquia.com/collateral/drupal-and-section-508-compliance.