Compliance & certifications
Your security is our top priority
Confidently innovate across your enterprise with an SAP cloud portfolio delivered with embedded security and compliance foundations.
Security is at the forefront of everything we do
The SAP NS2 team is comprised of dedicated individuals with a specific focus on ever-changing regulatory compliance demands. Across security, compliance, legal, support, operations, and engineering, we have an unwavering pledge to deliver emerging technologies to our regulated customer base.
Standardized security model
Centralized monitoring
Continuous web application scanning
Security information and event management (SIEM)
Continuous integration / continuous delivery (CI/CD)
Centralized vulnerability scanning
Centralized log management
Centralized anti-malware
Centralized intrusion detection system
SAP NS2 compliance offerings
Explore our certifications, reports, authorizations, and security frameworks.
FedRAMP®
DISA Provisional Authorization (PA) – FedRAMP + Moderate IL4 (DDCIE)
A security authorization for cloud services that meet the requirements of the Department of War (DOW) and the FedRAMP Moderate Baseline.
FedRAMP Provisional Authorization to Operate (P-ATO)
Provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. SAP NS2 Cloud Intelligent Enterprise was previously FedRAMP-Authorized by the Joint Authorization Board (JAB).
CMMC
The Cybersecurity Maturity Model Certification (CMMC) Program aligns with the Department of War’s (DOW) existing information safeguarding requirements for the Defense Industrial Base (DIB). The program provides the DOW with increased assurance that prospective contractors and subcontractors have implemented contractually required cybersecurity standards for nonfederal information systems that will process, store, or transmit FCI or CUI during contract performance.
CMMC Level I Certification
CMMC Level 1 focuses on protection of FCI. It encompasses the basic safeguarding requirements specific in Federal Acquisition Regulation (FAR) Clause 52.204-21. An annual Level 1 self-assessment, with an accompanying senior company official affirmation of compliance in the Supplier Performance Risk System (SPRS)1, asserts that a contractor is meeting all basic safeguarding requirements for FCI specified in FAR Clause 52.204-21.
CMMC Level II Certification
CMMC Level 2 focuses on protection of FCI and CUI. CMMC Level 2 certification confirms that a defense contractor has implemented the required 110 security controls outlined in National Institute of Standards and Technology SP 800-171, demonstrating the validated safeguards, credibility, and eligibility needed to manage Controlled Unclassified Information (CUI). It enhances protection against sophisticated cyber threats and qualifies organizations to compete for Department of War contracts.
ISO standards & certifications
ISO/IEC 27001:2022 Information security, cybersecurity and privacy protection – Information security management systems
A holistic, risk-based approach that outlines the essential actions an organization must take to develop and maintain a robust Information Security Management System (ISMS).
- View the certificate
ISO/IEC 27002:2022 Information security, cybersecurity and privacy protection – Information security controls
A comprehensive and measurable set of information security controls available for organizations as part of the control selection and risk assessment requirement of the ISMS.
ISO 27017:2015 Information technology – Security techniques – Code of practice for information security controls based on ISO/IEC 27002 for cloud services
Supports ISO/IEC 27001 by providing guidance on cloud-specific information security controls.
- View the certificate
ISO 27018:2019 Information technology – Security techniques – Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors
Provides codes of practice for cloud service providers to protect personally identifiable information (PII) in the public cloud.
- View the certificate
System & Organization Controls (SOC)
SOC 1 Type II Report
Follows the SSAE 18 and ISAE 3402 standards for auditing engagements and includes a detailed description of the design (type I) and effectiveness (type II) of the audited controls.
SOC 2 Type II Report
Provides insights into the control system relevant to security, availability, processing integrity, confidentiality, and/or privacy of data. It includes a detailed description of the design (type I) and effectiveness (type II) of the audited controls. It is not available for FedRAMP environments
Industry & region specific offerings
GovRAMP Authorization
Provides state and local governments and education institutions with a common method for independent verification and validation of cloud service providers’ security. Like FedRAMP, GovRAMP’s security verification model is based on NIST 800-53 Rev. 4.
Health Insurance Portability and Accountability Act (HIPAA) 3PAO Attestation
A statement from an assessment organization describing how SAP NS2 handles personal health information (PHI) and assures compliance with the Health Insurance Portability and Accountability Act (HIPAA).
Canadian Centre for Cyber Security approval for Protected B data
A security classification used by the Government of Canada (GC) for sensitive information and assets.
Frameworks & guidelines
NIST SP 800-53 Rev 5 Security and Privacy Controls for Information Systems and Organizations
Provides a series of security controls to protect an organization’s operations, assets, personnel, and connecting systems. It is the baseline for systems that are authorized by FedRAMP and StateRAMP and offers Low, Moderate, and High baselines.
NIST Risk Management Framework
A structured process developed by the National Institute of Standards and Technology (NIST) to integrate security, privacy, and cyber supply chain risk management activities into the system development lifecycle.
DOD Cloud Computing Security Requirements Guide (SRG V.1, R.1)
Details the necessary security controls and requirements for cloud-based solutions at the Department of War (DOW).
Committee on National Security Systems Instruction (CNSSI) Number 1253, and Appendix F, Attachment 6 – Privacy Overlay
Provides guidance on security categorization and control selection for National Security Systems (NSS) under the NIST Risk Management Framework (RMF). Appendix F of the CNSSI provides guidance on tailoring security controls based on the assessed risk level of a specific NSS.
DFARS 252.204-7012 – Safeguarding Covered Defense Information and Cyber Incident Reporting
A U.S. regulation requiring organizations providing goods or services to Department of War (DOW) agencies to implement controls defined in NIST 800-171, report cyber incidents within 72 hours, submit malicious software to the DOD Cyber Crime Center (DC3), and participate in DOD Cyber Incident damage assessment activities.
FAR 52.204-21 – Basic Safeguarding of Covered Contractor Information Systems
A U.S. regulation defining Federal Contract Information (FCI) and providing 15 required controls to safeguard Covered Contractor Information Systems.
International Traffic in Arms Regulations (ITAR)
A set of U.S. government regulations administered by the Directorate of Defense Trade Controls (DDTC) within the Department of State to control the export of defense articles, including hardware, software, technical data listed on the U.S. Munitions List (USML), defense services, and related technical data.
Export Administration Regulations (EAR)
A set of guidelines enforced by the Bureau of Industry and Security (BIS) to control the export, reexport, and transfer of commercial items with both commercial and military applications.
NIST-AI-600-1, Artificial Intelligence Risk Management Framework
Provides an open, transparent, and collaborative approach to generative AI use, focused on four primary considerations: Governance, Content Provenance, Pre-deployment Testing, and Incident Disclosure.