Safeguarding Mission-Critical Data: Veeam’s Unwavering Commitment to Data Protection and Secure Products for Government Customers

May 24, 2023

Jose Mendoza
Director, Product Management & Information Systems - Veeam

Protecting customer data

In today’s digital landscape, data security is of utmost importance. At Veeam Software (Veeam), we recognize the significance of safeguarding our customers’ sensitive information. As part of our ongoing commitment to security, we are actively pursuing Common Criteria and Department of Defense Information Network Approved Product List (DoDIN APL) certifications. In addition, we are fully compliant with Cybersecurity Maturity Model Certification v2 level 1 (awaiting validation) and engage in Independent Verification & Validation (IV&V). We have also successfully completed FIPS 140-2, SOC type 2 level 1, ISO 27001 certifications and are implementing the Secure Software Development Framework (SSDF) to fortify our security measures further. This update provides an in-depth understanding of these certifications and our dedication to maintaining the highest data protection standards.

Common Criteria certification and DoDIN APL

Common Criteria is an internationally recognized standard for evaluating the security of information technology products. It involves a comprehensive evaluation process, testing our software against rigorous security requirements. By pursuing Common Criteria certification, our goal is to provide our customers assurance that our products adhere to the highest security standards acknowledged by over 30 countries worldwide.

In parallel, we are also pursuing the DoDIN APL certification, which is specifically relevant for our customers operating within the Department of Defense (DoD) ecosystem. This certification ensures that our products meet the stringent security requirements set by the Defense Information Systems Agency (DISA), thereby enhancing the protection of data within the DoDIN framework.

CMMC v2 compliance

The Cybersecurity Maturity Model Certification (CMMC) is an integral part of our commitment to ensuring the security of our customers' data. CMMC v2 is the latest version of this unified standard designed to assess the cybersecurity posture of the defense industrial base (DIB). Compliance with CMMC v2 signifies that our security practices align with the stringent requirements defined by the Department of Defense (DoD). By adhering to these standards, we assure our customers within the defense sector that their data is safeguarded with the utmost care and resilience.

Independent Verification & Validation (IV&V)

To reinforce our security measures, we have engaged in Independent Verification & Validation (IV&V). This process involves a third-party organization conducting thorough testing and evaluation of our software. The independent nature of IV&V ensures an unbiased assessment of our security controls, offering an additional layer of confidence in our commitment to protecting valuable customer data.

FIPS 140-2, SOC type 2 level 1 and soon 2 and ISO 27001 certifications

Veeam has successfully completed several vital certifications that further fortify our security posture. FIPS 140-2 is a U.S. government standard that verifies the security requirements of cryptographic modules. This certification ensures that our encryption methods meet the highest standards and provide robust data protection.

SOC type 2 level 1 certification demonstrates our dedication to maintaining the security, availability, processing integrity, confidentiality and privacy of data. We are actively working towards achieving SOC type 2 level 2 certification, enabling us to demonstrate even greater control efficacy and maturity across our systems and processes.

Additionally, Veeam’s compliance with the ISO 27001 standard underscores our commitment to establishing and maintaining a comprehensive information security management system (ISMS). This certification validates that our security practices align with globally recognized best practices, ensuring customer data remains safe and secure.

Implementation of the Secure Software Development Framework (SSDF)

As part of our continuous improvement efforts, Veeam is in the process of implementing the Secure Software Development Framework (SSDF). This framework provides guidance on designing, developing and testing software to ensure adherence to specific security standards. The SSDF allows us to integrate robust security practices into our software development lifecycle, ensuring we proactively address security concerns at every stage of the development process and build products with security in mind from the ground up. By incorporating the SSDF into our development processes, we enhance the security of our software and reinforce our commitment to delivering robust and secure solutions.

At Veeam, our customer’s data security is our top priority. We are committed to maintaining the highest levels of protection for mission-critical data. Pursuing Common Criteria and DoDIN APL certifications, complying with CMMC v2, engaging in Independent Verification & Validation, completing FIPS 140-2, SOC type 2 level 1 and soon 2, ISO 27001 certifications and implementing the Secure Software Development Framework (SSDF) all demonstrate our unwavering dedication to data security.

By undergoing these certifications and implementing industry-leading security measures, we ensure that customer data remains secure, regardless of the sector. We will continue to evolve and improve our security practices to stay ahead of emerging threats and provide customers the peace of mind they deserve.

When customers choose Veeam and the Veeam Data Platform, they can rest assured they have selected a trusted partner committed to securing their data and the data of their customers, end-users and partners. We value the trust we have built with our government customers and will continue to deliver the highest level of data protection possible to ensure mission continuity.

Fill out the form to contact a member of our team today and learn more about how Veeam can support your mission-critical data initiatives.