Certifications and Compliance
Adherence to technology certifications and industry compliance is critical to maintaining a robust and stalwart security profile. Because of this, Mandiant is dedicated to ensuring that Mandiant security products and technologies meet or exceed critical industry certifications and compliance requirements.
The Federal Risk and Authorization Management Program (FedRAMP) is a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. FedRAMP enables Agencies to adapt from old, insecure legacy IT to mission-enabling, secure, and cost-effective cloud-based IT. Mandiant is committed to adopting FedRAMP for our solutions. Towards this, Mandiant anticipates certification for the Advantage platform as the program continues to evolve and mature through 2023.
SOC 2 – Service Organization and Controls
Mandiant undergoes annual independent third-party SSAE18 audit using the criteria set forth in the American Institute of Certified Public Accountants (AICPA) Guide Reporting on Controls at a Service Organization Relevant to Security, Availability, Confidentiality (SOC 2®) and the suitability of the design and operating effectiveness for the security, availability, and confidentiality principles set forth in the Trust Services Principles, TSP session 100A. Mandiant can provide users with compliance reports (SOC2 Type II reports), for the offerings listed below, that includes a description of the controls environment, and the external audit result and opinion of controls that meet the AICPA Trust Services Security, Availability, and Confidentiality Principles and Criteria.
- Mandiant Automated Defense
- Mandiant Managed Defense
- Mandiant Security Validation
- Mandiant Consulting (Q4 2022)
- Mandiant Threat Intelligence (Q4 2022)
UK Cyber Essentials
Cyber Essentials Certification is an effective, UK Government backed scheme from the National Cyber Security Centre that shows Mandiant protects our organization against a whole range of cyber-attacks. The Cyber Essentials scheme provides proof of clarity on good basic cyber security practice. By focusing on basic cyber hygiene, Mandiant shows it is better protected from the most common cyber threats. Cyber Essentials Certification is required to bid for UK central government contracts which involve handling sensitive and personal information or the provision of certain technical products and services.
PCI DSS V3.2 - Payment Card Industry Data Security Standard
The Payment Card Industry Data Security Standard (PCI DSS) is an information security standard, administered by the PCI Security Standards Council, that’s designed to encourage and enhance cardholder data security and promote the adoption of consistent data security measures around the technical and operational components related to cardholder data. Mandiant engages a Qualified Security Assessor (“QSA”) company to conduct annual audit against the eligible criteria for the PCI Self-Assessment Questionnaire for Service Providers (SAQ-D) and has successfully received an Attestation of Compliance (AoC) covering its Mandiant Managed Defense services.
EU-U.S. Privacy Shield, and the Swiss-U.S. Privacy Shield
Mandiant complies with the requirements of the EU-U.S. Privacy Shield Framework, and the Swiss-U.S. Privacy Shield Framework, as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information from European Union member countries and Switzerland. Mandiant adheres to the Privacy Shield Principles of notice, choice, onward transfer, security, data integrity and purpose limitation, access and recourse, enforcement and liability with respect to all personal information transferred from the EU or Switzerland to the US within the scope of its Privacy Shield certification. Mandiant does not use Privacy Shield as a mechanism for cross-border data transfer.
National Institute of Standards and Technology Special Publication 800-171 was released in June 2015. It focuses on protecting the confidentiality of Controlled Unclassified Information (CUI) in non-federal information systems and organizations and defines security requirements to achieve that objective. Mandiant has undergone a self-assessment that confirmed compliance with NIST 800-171 controls. Mandiant continually evaluates their compliance with NIST 800-171.
Mandiant is committed to adopting the U.S. Department of Defense Cybersecurity Maturity Model Certification (CMMC) Program and is currently “CMMC Ready” for our US-based Managed Defense service. Mandiant anticipates full certification for this and other offerings as the program continues to evolve and mature through 2023.