Zscaler

Zscaler complies with...

• BLUF: Zscaler's commitment to these compliance standards demonstrates their focus on providing secure and trustworthy cloud security solutions for a wide range of organizations, including those in highly regulated industries and the public sector. They continually work to align with evolving compliance requirements and provide features that help their customers meet their obligations. [AI Agent]

• Zscaler's compliance with:

  1. Compliance with NIST Standards:

     • NIST 800-53: Zscaler's FedRAMP Moderate and high platforms are compliant with NIST 800-53 security controls. Their architecture, incorporating Zero Trust principles, Secure Access Service Edge (SASE), and AI-driven security, helps organizations meet these stringent requirements. -- Security and privacy controls for federal information systems and organizations. 

     • NIST 800-207 (Zero Trust Architecture): Zscaler's core architecture is built on Zero Trust principles, aligning with NIST's guidance on implementing a Zero Trust approach. Their solutions enforce least-privileged access, continuous verification, and micro-segmentation, key tenets of ZTA.  

     • NIST Cybersecurity Framework (CSF): While the search results don't explicitly state a direct certification, Zscaler acknowledges and aligns with the NIST CSF in its approach to cybersecurity risk management.

     • NIST 800-171: Zscaler's solutions can assist organizations in meeting the requirements of NIST 800-171 for protecting Controlled Unclassified Information (CUI), which is particularly relevant for the Defense Industrial Base (DIB). 

  2. OMB M-22-09 (Federal Zero Trust Strategy): -- Zscaler's architecture and services are specifically designed to help federal agencies meet the mandates of OMB Memorandum M-22-09, "Moving the U.S. Government Toward Zero Trust Cybersecurity Principles." Key aspects of their compliance include:

     • Zero Trust Implementation: Zscaler's SASE platform inherently supports the transition from perimeter-based defenses to a Zero Trust model.

     • Secure Internet Access: Zscaler enables secure access to applications over the public internet without relying on traditional VPNs.  

     • Encryption: They enforce HTTPS for all web and API traffic and support encrypted DNS queries. 

     • Identity and Device Security: Zscaler integrates with enterprise identity management systems and considers device-level signals for authorization. 

     • Application Security: Their solutions include features for application security testing and vulnerability management.  

     • Data Security: Zscaler offers capabilities for data categorization, monitoring access to sensitive data in the cloud, and implementing data loss prevention (DLP).  

     • Logging and Information Sharing: Their platform provides real-time logging and integrates with SIEM systems for enhanced visibility.  

  3. Executive Orders (EOs):

     • Executive Order 14028 (Improving the Nation's Cybersecurity): Zscaler's adoption by the U.S. federal government to secure federal and defense data highlights their alignment with the goals of EO 14028, particularly the transition to Zero Trust.  

  4. DoD Zero Trust Strategy: Aligns with the DoD's Zero Trust framework.

  5. CMMC (Cybersecurity Maturity Model Certification) / NIST 800-171: For protecting Controlled Unclassified Information (CUI) in the Defense Industrial Base. 

  6. FedRAMP Moderate and High: Demonstrates compliance with stringent federal security requirements for cloud service providers.

  7. IRS 1075: Security guidelines for handling Federal Tax Information (FTI).  

  8. FAFSA: Security measures for Free Application for Federal Student Aid data.

  9. Non-Federal:

     • ITAR (International Traffic in Arms Regulations): Compliance for handling defense-related information.

     • CJIS (Criminal Justice Information Services): Standards for handling criminal justice information.

     • HECVAT (Higher Education Cloud Vendor Assessment Toolkit): For cloud services used by higher education institutions.

  10. Industry/Commercial:

      • ISO 27001: International standard for information security management systems.

      • ISO 27701: Extension to ISO 27001 for privacy information management. 

      • ISO 27018: Code of practice for protection of personally identifiable information (PII) in the cloud. 

      • ISO 27017: Guidelines for cloud-specific information security risks and controls.

      • SOC 2 Type II: Report validating the security, availability, processing integrity, confidentiality, and privacy controls of a service organization. 

      • SOC 3: Summary of the SOC 2 report for general use.

      • CSA STAR Level 2 (Gold): Cloud Security Alliance's Security, Trust & Assurance Registry certification. 

      • GDPR (General Data Protection Regulation): European Union regulation on data protection and privacy.

      • HIPAA (Health Insurance Portability and Accountability Act): US law for protecting sensitive health information.

      • PCI DSS (Payment Card Industry Data Security Standard): Security standard for organizations that handle credit card information.

      • GLBA (Gramm-Leach-Bliley Act): US law requiring financial institutions to protect the privacy and security of customers' nonpublic personal information.

      • FERPA (Family Educational Rights and Privacy Act): US law protecting the privacy of students' education records.