Compliance and Certifications

ISO

ISO is the International Organization for Standardization, an independent organization that publishes best-practice standards covering a broad range of industries. Nutanix is committed to maintaining robust security and privacy management systems aligned with the following ISO Standards:

 

  • ISO/IEC 27001:2013 Requirements for information security management systems
  • ISO/IEC 27017:2015 Code of practice for information security controls based on ISO/IEC 27002 for cloud services
  • ISO/IEC 27018:2019 Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors
  • ISO/IEC 27701:2019 Extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy information management
  • ISO 28000:2007 Specification for security management systems for the supply chain

SOC

SOC is a commonly-understood criteria developed by the American Institue of Certified Public Accountants (AICPA) for providing standard reporting on security controls at a service organization.  Nutanix maintains SOC certifications which provide independent attestation of the security controls in place to protect sensitive data within our product environments.

FIPS Certifications

The Cryptographic Module Validation Program (CMVP) is a joint effort between NIST in the United States and the Canadian Centre for Cyber Security (CCCS), a branch of the Communications Security Establishment (CSE). The CMVP validates cryptographic modules to Federal Information Processing Standards (FIPS) 140-2, Security Requirements for Cryptographic Modules, and other FIPS cryptography-based standards.

Federal Agencies in the United States and Canada may acquire active FIPS 140-2 cryptographic modules listed in the CMVP database of validated modules for the protection of sensitive information. FIPS 140-2 certification is required or recommended by many other nations as well as several industries, including Healthcare and Financial industries.

Common Criteria

Common Criteria is an international security certification that is recognized by many countries around the world.  When a product achieves certification in one country, the product is recognized as CC certified in all 31 participating nations that participate in the Common Criteria Recognition Agreement (CCRA) and recognized across Europe through the SOG-IS agreement. The Common Criteria standard is also an ISO standard, ISO 15408.

Nutanix AOS and AHV are Common Criteria EAL2+ certified. The full Common Criteria certification listing can be viewed on the international Common Criteria Portal (listed under "Other Devices and Systems").

Xi Government Cloud is FedRAMP Authorized

Xi Government Cloud currently holds an Agency Authorization at a moderate security impact level. Nutanix Xi Government Cloud provides US Government agencies and supporting customers a single point of management and analysis across all of their clouds. Nutanix Government Cloud provides a suite of PaaS and SaaS services to enable streamlined cloud management, application delivery, and governance. Nutanix Government Cloud provides solutions to enable customers to adhere to U.S. International Traffic in Arms Regulations (ITAR) regulations.

Nutanix Xi Government Cloud consists of the following services: Xi Frame and Xi Beam. More information can be found on the FedRAMP Marketplace.

FedRAMP

If you have any questions regarding compliance, please reach out to us.