Compliance and Certifications

ISO

ISO is the International Organization for Standardization, an independent organization that publishes best-practice standards covering a broad range of industries. Nutanix is committed to maintaining robust security and privacy management systems aligned with the following ISO Standards:

 

  • ISO/IEC 27001:2013 Requirements for information security management systems
  • ISO/IEC 27017:2015 Code of practice for information security controls based on ISO/IEC 27002 for cloud services
  • ISO/IEC 27018:2019 Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors
  • ISO/IEC 27701:2019 Extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy information management
  • ISO 28000:2007 Specification for security management systems for the supply chain

SOC

SOC is a commonly-understood criteria developed by the American Institute of Certified Public Accountants (AICPA) for providing standard reporting on security controls at a service organization.  Nutanix maintains SOC certifications which provide independent attestation of the security controls in place to protect sensitive data within our product environments.

Product / Service / Applicability SOC 2 Type 1 SOC 2 Type 2 SOC 3
Nutanix Cloud Manager (NCM) – Cost Governance (formerly Beam)      
Nutanix Frame      
Nutanix Cloud Clusters on AWS (NC2)
     
Nutanix Disaster Recovery-as-a-Service (DRaaS) (formerly Xi Leap)
     
Nutanix Cloud Manager (NCM) – Security Central (formerly Flow Security Central)      
Availability Zone: Oakland, CA, USA (West 1b)      
Availability Zone: Reno, NV, USA (West 1c)      
Availability Zone: Ashburn, VA, USA (East 1a)      
Availability Zone: Ashburn, VA, USA (East 1b)      
Availability Zone: Ashburn, VA, USA (East 1c)      
Availability Zone: London, England, UK      
Availability Zone, Frankfurt, Germany      

Nutanix Government Cloud Services
is FedRAMP Authorized

Nutanix Government Cloud Service currently holds an Agency Authorization at a moderate security impact level. Nutanix Government Cloud Services provides US Government agencies and supporting customers a single point of management and analysis across all of their clouds. Nutanix Government Cloud Services provides a suite of PaaS and SaaS services to enable streamlined cloud management, application delivery, and governance. Nutanix Government Cloud Services provides solutions to enable customers to adhere to U.S. International Traffic in Arms Regulations (ITAR).

The Nutanix Government Cloud platform currently consists of the following services: Frame, Nutanix Cloud Manager (NCM) – Cost Governance (Formerly Beam), Nutanix Cloud Manager (NCM) – Security Central (Formerly Flow Security Central), and (NC2) Nutanix Cloud Clusters on AWS GovCloud. More information can be found on the FedRAMP Marketplace.

FedRAMP

Common Criteria

Common Criteria is an international security certification that is recognized by many countries around the world.  When a product achieves certification in one country, the product is recognized as CC certified in all 31 participating nations that participate in the Common Criteria Recognition Agreement (CCRA) and recognized across Europe through the SOG-IS agreement. The Common Criteria standard is also an ISO standard, ISO 15408.

Nutanix AOS and AHV are Common Criteria EAL2+ certified. The full Common Criteria certification listing can be viewed on the international Common Criteria Portal (listed under "Other Devices and Systems").

DISA maintains the Department of Defense Information Network Approved Products List (DoDIN APL) which contains a list of products that have completed DISA rigorous Cybersecurity and Interoperability certification process. In order to follow procurement requirements defined by the DoD and other departments, agencies may need to purchase only products that appear on the DoDIN APL. Nutanix’s AOS, AHV, and Files products are presently listed on the DODIN APL. The full DoDIN APL Listing can be viewed on the DISA DoDIN website (select “Nutanix” in the Vendor filter drop down list).

Please contact the Approved Products Certification Office (APCO) with the Nutanix Tracking Number(TN) for additional information on Nutanix’s DoDIN APL solution. Please note only government civilian and/or uniformed military personnel may receive the Cybersecurity Assessment Package (CAP).

DoDIN APL

FIPS Certifications

The Cryptographic Module Validation Program (CMVP) is a joint effort between NIST in the United States and the Canadian Centre for Cyber Security (CCCS), a branch of the Communications Security Establishment (CSE). The CMVP validates cryptographic modules to Federal Information Processing Standards (FIPS) 140-2, Security Requirements for Cryptographic Modules, and other FIPS cryptography-based standards.

Federal Agencies in the United States and Canada may acquire active FIPS 140-2 cryptographic modules listed in the CMVP database of validated modules for the protection of sensitive information. FIPS 140-2 certification is required or recommended by many other nations as well as several industries, including Healthcare and Financial industries.

SEC Rule 17a-4(f), FINRA Rule 4511, and
CFTC Rule 1.31(c)-(d)

The US Securities Exchange Commission (SEC), Financial Industry Regulatory Authority (FINRA), and the Commodity Futures Trading Commission (CFTC) have defined explicit requirements for regulated entities that choose to retain electronic regulatory records. To meet these regulatory requirements, customers can utilize Nutanix Objects or Nutanix Files for the storage and retention of electronic records.
 

Nutanix retained Cohasset Associates, an independent assessment firm that specializes in records management and information governance, to assess Nutanix Objects and Nutanix Files compliance with the following electronic records storage and retention regulatory rules:

  • The five requirements of SEC Rule 17a-4(f) that relate directly to the recording, storage, and retention of electronic records
  • FINRA Rule 4511
  • The principles-based requirements of CFTC Rule 1.31(c)-(d)

If you have any questions regarding compliance, please reach out to us.