Certifications

Silo is a FedRAMP-authorized service. It has been assessed and approved as a cloud service offering (CSO) that meets the stringent security requirements to process, store and transmit federal government data.

Silo (including both Silo for Safe Access and Silo for Research) was granted FedRAMP authorization as a moderate impact system on March 29, 2021. Granted via Agency Authorization, Silo was assessed by a FedRAMP-authorized third-party assessment organization (3PAO), reviewed by a customer Agency Authorizing Official (AO), granted an Authority to Operate (ATO), and verified by the FedRAMP Program Management Office (PMO). Any Agency AO can reference Silo’s FedRAMP Security Package to assess its security, review customer responsibilities and grant an ATO that permits usage of the system.

The Federal Risk and Authorization Management Program (FedRAMP) was established to provide a standardized approach to security assessment, authorization and continuous monitoring for cloud services. Based on NIST standards, especially NIST SP 800-53, FedRAMP ensures compliance with FISMA requirements, provides Department of Defense reciprocity at Impact Level 2 (IL2) and helps to ensure a system meets DFARS security requirements for the processing of Controlled Unclassified Information. Among FedRAMP’s goals are the acceleration of the adoption of secure cloud services, increasing confidence in those services’ security and the assurance of consistently applied security practices.

As a public cloud offering in the FedRAMP marketplace, both Federal Agencies and commercial organizations can leverage Authentic8’s FedRAMP authorization. US government employees and contractors can request a copy of the Silo FedRAMP Security Package from the FedRAMP PMO by filling out a FedRAMP package access request form and emailing it to info@fedramp.gov. Commercial organizations can request guidance from Authentic8 on how to leverage Silo as a FedRAMP authorized service; simply email fedramp@authentic8.com for details.

Authentic8 undergoes periodic, independent assessments on the suitability, design and application of Silo’s security, availability, and confidentiality. As a result, a System and Organization Controls (SOC) 2 Report is available upon request to prospective customers and existing Silo user organizations.

Authentic8’s SOC 2 report describes the Silo platform (both design and implementation) along with the controls and audit results of how each aligns with and meets the AICPA Trust Services Criteria. These criteria, based on SSAE No. 18 attestation standards, provide assurances that Silo is appropriately protected against unauthorized access, unauthorized disclosure of information and damage that could impact the confidentiality, integrity, or availability of its information systems and data. They also ensure that Silo is maintained with appropriate availability for customer use and that its data is appropriately kept confidential and protected.

Organizations with a business need to access Authentic8’s SOC 2 report can request a copy from their Authentic8 account executive or designated point of contact. A report can also be requested by email to support@authentic8.com. In all cases, a non-disclosure agreement (NDA) is required to review Authentic8’s SOC 2 reports.

Authentic8 is a Participating Organization in the PCI Security Standards Council. This gives us the opportunity to participate in the standards development process, recommend new initiatives and play an active role in ensuring that PCI standards address the context of web isolation, remote browsing, and zero trust access.

Silo by Authentic8 is compliant as a PCI DSS Level 2 Service Provider, allowing it to process, transmit, or store cardholder data on behalf of merchants who accept payment cards (American Express, Discover, JCB, MasterCard, or Visa) as payment for goods or services. 

The Payment Card Industry Data Security Standard (PCI DSS) ensures that compliant merchants and service providers have appropriate security controls in place to protect cardholder data and reduce credit card fraud. As a component of Authentic8’s PCI DSS compliance, it maintains an active Letter of Attestation, Self Assessment Questionnaire (SAQ-D) and Attestation of Compliance (AoC). On a quarterly basis, a PCI-approved scanning vendor (ASV) generates an Attestation of Scan Compliance.

As a result of Authentic8’s PCI DSS compliance, customers can leverage Silo services as a PCI Service Provider with assurances that Silo:

• Is built and maintained as a secure service
• Protects cardholder data
• Is subjected to an appropriate vulnerability management program
• Is protected by strong access control measures
• Is continually monitored and tested
• Leverages a mature information security program (including policies, standards and procedures)

Organizations that need to leverage Silo as a PCI-compliant service provider can request a copy of Authentic8’s PCI Letter of Attestation, SAQ-D and Attestation of Scan Compliance from their Authentic8 account executive or designated point of contact. These can also be requested by email to support@authentic8.com. In all cases, a non-disclosure agreement (NDA) is required to receive Authentic8’s compliance documents.

Silo by Authentic8 is a HIPAA-compliant service that can be leveraged by covered entities (health plans, health care clearinghouses and health care providers). This allows customers who have executed a business associate addendum (BAA) with Authentic8 to use Silo for the processing, storage and transmission of protected health information (PHI).

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) ensures that PHI is secured and maintained with appropriate privacy controls. In addition to HIPAA rules that apply to covered entities — organizations and individuals who directly interact with patient data — certain rules also apply to business associates that these entities use to perform their work (such as Silo). As a component of its HIPAA compliance, in conjunction with Authentic8’s existing information security program and as defined within the BAA, covered entities are assured:

1. Silo ensures the confidentiality, integrity and availability of electronic PHI
2. Authentic8 identifies and protects against reasonably anticipated threats to the security or integrity of Silo information systems and the data it processes, transmits or stores
3. Silo protects against reasonably anticipated, impermissible uses or disclosures
4. Authentic8 ensures compliance by its personnel, and Silo can be leverage by customers to ensure the same

Authentic8 maintains a standard BAA that can be signed by customers who wish to use Silo as a HIPAA compliant service. This BAA defines how covered entities may use Silo and incorporates any applicable customer responsibilities. Customers can request a copy of Authentic8’s BAA by email to legal@authentic8.com.