CrowdStrike - Compliance and Certification

PCI DSS V3.2

This report was produced by Coalfire, a PCI Qualified Security Assessor (QSA) and outlines CrowdStrike Falcon's functionality with respect to PCI DSS v3.2, in summary:

• CrowdStrike Falcon meets all elements of requirement No. 5: "Protect all systems against malware and regularly update antivirus software or programs."
• In addition, CrowdStrike Falcon provides assistance with meeting four additional PCI requirements.

FEDRAMP

CrowdStrike Falcon on GovCloud is authorized under Federal Risk and Authorization Management Program (FedRAMP). CrowdStrike’s Authorization to Operate (ATO) at the Moderate Impact Level from the U. S. Department of Commerce’s International Trade Administration (ITA) supports the federal government’s efforts to modernize IT and streamline operations with cloud computing, by addressing the need for comprehensive endpoint protection delivered via the cloud. CrowdStrike seeks to make this process easy for federal entities through FedRAMP authorization.

EU-U.S. PRIVACY SHIELD FRAMEWORK

CrowdStrike is an active participant in the E.U-U.S. Privacy shield framework since its first certification in 2016. This framework provides companies on either continent a means to comply with data requirements when transferring personal data from the E.U. to the United States. In summary, as a certified participant in the Privacy Shield Framework:

• CrowdStrike complies with GDPR requirements for the proper handling of personal data collected and stored in the CrowdStrike Falcon platform.
• CrowdStrike offers platform and cloud security, intelligence subscription services, professional services, and more to organizations looking to achieve GDPR compliance.

SWISS - U.S. PRIVACY SHIELD FRAMEWORK

CrowdStrike is also an active participant in the Swiss-U.S. Privacy shield framework - certified in 2017. As a certified participant in the Swiss Privacy Shield Framework:

• CrowdStrike complies with GDPR requirements for the proper handling of personal data collected and stored in the CrowdStrike Falcon platform.

HIPAA

This report, produced by leading HIPAA compliance assessor Coalfire, outlines how CrowdStrike Falcon can be used to address the requirements of the HIPAA security, including specific privacy rules for organizations implementing HIPAA (Health Insurance Portability and Accountability Act).

In summary, the report shows:

• CrowdStrike Falcon has been independently validated to assist healthcare organizations achieve compliance with HIPAA
• CrowdStrike Falcon was identified as addressing eight separate key HIPAA technical requirements

NIST SP 800-53 REV. 4

This report, produced by leading compliance assessor Coalfire, outlines how CrowdStrike Falcon can assist organizations in their compliance efforts with respect to National Institute of Standards and Technology (NIST). NIST Special Publication 800-53 Revision 4 is a security control standard that provides guidelines for selecting technical, physical, and operational security controls for components of an information system that processes, stores, or transmits federal information. In summary, the report shows:

• CrowdStrike Falcon is a suitable solution for addressing the system protection and monitoring controls identified in NIST SP 800-53 Rev. 4.
• CrowdStrike Falcon helps implementing organizations with eight separate NIST control families, covering 23 separate controls.

FFIEC

This report, produced by leading compliance assessor Coalfire, outlines how CrowdStrike Falcon can assist organizations in their compliance efforts with respect to the Federal Financial Institutions Examination Council (FFIEC). This framework defines baseline technical, physical, and operational security controls necessary for protecting customer financial information. CrowdStrike’s Falcon platform was evaluated against the 2016 release of the FFIEC IT Examiner’s Handbook for Information Security, a document that provides guidance for examiners auditing financial institutions to determine the level of security risks to the institution’s information systems. In summary, the report shows:

• CrowdStrike Falcon capabilities in detection and responding to threats, and associated collection of endpoint activities data, make it a suitable solution for addressing system protection and monitoring controls required for FFIEC compliance.
• CrowdStrike’s Falcon provides support for achieving five FFIEC objectives, addressing 17 controls within those objectives.

NSA-CIRA

An accreditation from the National Security Agency, it signifies that CrowdStrike has been evaluated and certified in critical focus areas derived from industry and government best practices for cybersecurity investigation.

• CrowdStrike is one of only 12 organizations accredited by the National Security Agency for National Security Cyber Assistance Program (NSCAP) Cyber Incident Response Assistance (CIRA).

SERVICE ORGANIZATION CONTROL 2 (SOC 2®)

This attestation addresses a service organization’s controls relevant to security, availability, processing integrity, confidentiality or privacy.

• CrowdStrike is compliant with Service Organization Control 2 standards and provides its CrowdStrike Falcon customers with a SOC 2® report.
• The Type 2 report addresses the suitability of design and the operating effectiveness of the controls.

AV COMPARATIVES TESTING

AV-Comparatives, a leading vendor-independent organization offering systematic testing that checks whether security software live up to their promises and claims. AV Comparatives asked CrowdStrike to participate in their first-ever public comparative test report of next generation security products. In summary, the test report shows:

• CrowdStrike Falcon received the first ever ‘Approved NextGen Security’ award.
• CrowdStrike Falcon was the only tested endpoint solution to achieve 100% detection efficacy on all exploits used in the testing.
• CrowdStrike Falcon scored a range of 98 to 99.2% detection efficacy with zero false positives on three separate malware tests performed by AV-Comparatives.

CLOUD SECURITY ALLIANCE (CSA) SECURITY, TRUST, & ASSURANCE REGISTRY (STAR) ATTESTATION

The CSA STAR Attestation is positioned as Level 2 of the Open Certification Framework and involves a third party assessing the security of a cloud service provider with a combination of the SOC2 framework and additional cloud provider-specific criteria.

• CrowdStrike’s controls related to customer data and internal controls have been verified by an independent 3rd party attestation, and CrowdStrike maintains a full STAR attestation. This attestation is re-evaluated an on annual basis.
• Current CSA Star attestation is included as part of a combination SOC 2 and CSA STAR report, which addresses the suitability of design and operating effectiveness of CrowdStrike’s applicable security controls.

ANTI-MALWARE TESTING STANDARDS ORGANIZATION (AMTSO)

CrowdStrike is a registered Vendor Member of the Anti-Malware Testing Standards Organization. AMTSO's mission is to help improve business conditions related to the development, use, testing and rating of anti-malware products and solutions.

• As a vendor member, CrowdStrike contributes to the development of standards for testing anti-malware products.
• CrowdStrike participates in tests that adhere to the anti-malware testing standards created by AMTSO. For example, the CrowdStrike Machine Learning Engine was certified by AMTSO Testing Member SE Labs.

VPAT

CrowdStrike is committed to complying with relevant government standards and compliance controls. This commitment is reflected in the importance we place on understanding, implementing and maintaining ongoing compliance with these standards for ALL individuals that access and consume our services.

• CrowdStrike has created a Voluntary Product Accessibility Template (VPAT) in accordance with Section 508 of the Rehabilitation Act of 1973.
• The Voluntary Product Accessibility Template (VPAT) for the Falcon Platform is available on request to customers and prospective customers.