Compliance with standards and regulations

When it comes to cloud computing, many organizations are concerned with compliance with standards and regulations, and many of the interesting types of applications that organizations would like to deploy to the cloud are often those governed by some form of regulatory standard. If you require additional information regarding your particular regulatory requirements, contact Acquia. This page summarizes Acquia's compliance with the following standards and regulations, both governmental and non-governmental:

Federal Information Security Management Act (FISMA)

FISMA and its associated National Institute of Standards and Technology (NIST) standards provide a risk-based framework to support security best practices for systems managed by federal agencies.

Acquia Cloud has implemented and documented controls in line with those required to achieve FISMA accreditation at the moderate-impact level, which are based on the potential impact of a security breach. In July 2012, Acquia Cloud was granted a FISMA Authority to Operate (ATO) at the moderate-impact level for federal customers hosted in Acquia Cloud. A second federal agency issued a FISMA ATO also at the moderate-impact level in March 2013. Acquia Cloud is built on the Amazon Web Services (AWS) infrastructure, which has obtained a FISMA ATO at the moderate-impact level, thus ensuring that the entire stack is FISMA moderate compliant.

Federal Risk and Authorization Management Program (FedRAMP)

FedRAMP is an important government compliance objective for Acquia Cloud. FedRAMP is meant to supersede both the FISMA and DIACAP Certification and Accreditation (C&A) process for federal agencies that use cloud service providers like Acquia. The FedRAMP process builds on the work Acquia has done for FISMA and DIACAP. FedRAMP adds additional controls pertinent to a cloud service provider as specified by NIST.

Acquia has completed its System Security Plan for Acquia Cloud, our Drupal hosting PaaS platform, using the latest FedRAMP templates, and is currently working towards an Agency Sponsored Authority To Operate (ATO) with the U.S. Department of Transportation. LunarLine has been approved as our authorized third-party assessment firm (3PAO). Acquia expects to complete the FedRAMP authorization process for Acquia Cloud by Q3 2014.

Agencies may leverage Acquia Cloud's FedRAMP authorization of Acquia Cloud to facilitate their own authorization requirements if there are any over and above FedRAMP.

Acquia Cloud is built on Amazon AWS and thus inherits Infrastructure layer controls from Amazon. Separately, Amazon AWS has received FedRAMP authorization for the Infrastructure layer.

Department of Defense Information Assurance Certification and Accreditation Process (DIACAP)

The DIACAP provides the accreditation framework to support security best practices for systems managed by the Department of Defense (DoD) federal agencies. Acquia has created a DIACAP package (at a Mission Assurance Category (MAC) II Sensitive level) for one of our federal DoD customers hosted in Acquia Cloud Enterprise and is ready to work with other DoD agencies to obtain DIACAP authorization. Acquia Cloud is built on Amazon Web Services, which has obtained an IATO (Interim Approval to Operate) at MAC III Sensitive.

Cloud Security Alliance (CSA) Security, Trust and Assurance Registry (STAR)

The CSA is a not-for-profit organization with a mission to promote the use of best practices for providing security assurance within Cloud Computing and to provide education on the uses of Cloud Computing to help secure all other forms of computing. The CSA is led by a broad coalition of industry practitioners, corporations, associations, and other key stakeholders.

CSA's STAR is a free, publicly accessible registry that documents the security controls provided by cloud computing offerings, thereby helping organizations assess the security of cloud providers they currently use or are considering contracting with. Acquia has completed and published its Consensus Assessments Initiative Questionnaire (CAIQ), which provides industry-accepted ways to document the security controls in our PaaS (platform as a service) offering. The CAIQ provides a set of over 140 questions that a cloud consumer and cloud auditor may wish to ask of a cloud provider.

Acquia's CAIQ is available for download at https://cloudsecurityalliance.org/star/registry/.

ISO 27001

ISO 27001 is an international standard that specifies security management best practices and comprehensive security controls following the ISO 27002 best practice guidance. The AWS infrastructure, upon which Acquia Cloud is built, has been accredited with meeting the ISO 27001 standard by an independent third party.

For more on Amazon Web Services compliance with the ISO 27001 standard, see http://aws.amazon.com/compliance/iso-27001-faqs/.

SSAE 16 SOC1 (SAS 70)

The Statement on Auditing Standards No. 70 (SAS 70) is an auditing standard issued by the Auditing Standards Board of the American Institute of Certified Public Accountants (AICPA) that provides guidance to auditors who assess the internal controls of a service provider in order to produce an independent audit report. SAS 70 has been replaced by the Statements on Standards for Attestation Engagements No. 16 (SSAE 16) as of 2011.

The AWS data center environment has received a favorable opinion on the state of its internal control environment based on its SAS 70/SSAE 16 auditors. AWS conducts SSAE 16 Service Organization Controls 1 (SOC 1), Type 2 audits annually. Acquia's customers and prospective customers may obtain an electronic copy of Amazon's audit report for their due diligence.

Acquia completed its first SSAE 16 SOC 1 Type I examination in June 2012 covering its corporate controls and Acquia Cloud Enterprise completed its first SOC 1 Type 2 audit in March 2013. Acquia will continue to conduct annual SSAE 16 SOC 1 Type 2 audits going forward. Acquia is happy to provide the SOC 1 examination reports to our customers and prospective customers.

Safe Harbor

Safe Harbor is a certification program run by the US Department of Commerce that aims to harmonize data privacy practices between the US and the stricter privacy regulations of the European Union (EU). Acquia was registered with the Safe Harbor program on February 7, 2012. To view Acquia's certification with Safe Harbor, see http://safeharbor.export.gov/companyinfo.aspx?id=17472.

EU cookie regulations

The Privacy and Electronic Communications Regulations 2003 (a European Community (EC) Directive) cover the use of cookies and similar technologies for storing information and accessing information stored on users' equipment, such as their computer or mobile phone. In 2009, this Directive was amended by Directive 2009/136/EC. This included a change to Article 5(3) of the E-Privacy Directive requiring consent before a website stores cookies or similar technologies.

Drupal sites, like the vast majority of websites, make use of session cookies and may employ other types of cookies. Acquia's customers should consult with their legal counsel as to whether their website is required to implement consent before storing cookies on customer devices that serve EU users. Acquia can work with its customers to implement technical solutions, including modules or custom code, in order to satisfy the requirements from the customers' legal counsel.

Payment Card Industry Data Security Standard (PCI DSS)

PCI compliance applies to any organization that stores, transmits, or transacts credit card data. PCI compliance is important; failure to become PCI compliant may expose your businesses to legal and financial liabilities. The Payment Card Industry Data Security Standard (PCI DSS) is a multifaceted security standard that includes requirements for security management, policies, procedures, network architecture, software design, and other critical protective measures. This comprehensive standard helps organizations proactively protect customer account data.

The majority of Acquia Cloud sites with e-commerce capabilities use third-party credit card processors, embedding the secure payment form code within their site so that credit card data is sent directly from the end user to the credit card processor. Because credit card data is not stored on the site that implements e-commerce in this way, the PCI compliance requirements are minimized.

Acquia Cloud provides a PCI-compliant platform foundation for building PCI certified Drupal sites. Both Acquia Cloud and Amazon Web Services have been QSA validated as complying with standards applicable to a Level 1 service provider under PCI - DSS Version 2.0.

For more on Amazon’s PCI accreditation, see http://aws.amazon.com/compliance/pci-dss-level-1-faqs/.

For an overview of what PCI responsibilities Acquia ensures and your responsibilities regarding PCI compliance, see Achieving PCI Compliance for Your Site in Acquia Cloud.

As a merchant, Acquia does not store its customers' credit card data when customers use credit cards to procure its services. Acquia has a completed a PCI Self-Assessment Questionnaire C (SAQ C) on file and is certified quarterly by SecurityMetrics.

Health Insurance Portability and Accountability Act (HIPAA)

The Health Insurance Portability and Accountability Act establishes national standards for electronic healthcare transactions and the storage of Personal Health Information (PHI). Acquia Cloud provides a framework that covered entities that must comply with HIPAA requirements can leverage to build a HIPAA-compliant system.

Privacy

Acquia abides by all privacy laws and regulations that are applicable to our hosting services and to our customers that host sites that may contain personal information on Acquia Cloud. Acquia personnel have logical access to customer data stored in customer sites only if they are authorized and have a need for access due to their job function. Neither Amazon nor any other third party employed by Acquia has logical access to customer data housed in customer sites hosted on Acquia Cloud. Acquia does not transfer customer data hosted on Acquia Cloud outside of Acquia Cloud or to any third party without customer authorization.

Customers must ensure that privacy concerns and regulations are addressed and adhered to at the application layer where customer personnel may have logical access to personal information uploaded or stored in customer sites.

Acquia’s Privacy Policy describes how Acquia handles any personal information gathered from visitors to its website at acquia.com and from users of our software and services from Acquia. To read Acquia’s Privacy Policy, see http://acquia.com/about-us/legal/privacy-policy.

Section 508

In 1998 the US Congress amended the Rehabilitation Act to require federal agencies to make their electronic and information technology accessible to people with disabilities. Section 508 was enacted to eliminate barriers in information technology, to make new opportunities available for people with disabilities, and to encourage development of technologies that will help achieve these goals. The law applies to all federal agencies when they develop, procure, maintain, or use electronic and information technology.

Drupal has been used to create many Section 508-compliant web sites. For more information on how to ensure Section 508 compliance for your Drupal site, see our white paper on this topic: https://www.acquia.com/collateral/drupal-and-section-508-compliance.