Add to collection(s) Add to saved
  1. No category
Uploaded by dennywong2

Salesforce Government Cloud Guide: Features & Compliance

advertisement 
Government Cloud
Last Updated:2025.04.03
© Copyright 2000–2025 salesforce.com, inc. All rights reserved. Salesforce is a registered trademark of salesforce.com, inc.,
as are other names and marks. Other marks appearing herein may be trademarks of their respective owners.
CONTENTS
Government Cloud . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Get Started with Government Cloud . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
What’s Included in Government Cloud . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Compliance for Government Cloud . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Using AppExchange with Government Cloud . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Education Cloud for Government Cloud . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Field Service for Government Cloud . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Content Delivery Networks for Government Cloud . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Messaging for In-App and Web in Government Cloud . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Private Connect in Salesforce Government Cloud Plus . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
Connect to Government Cloud Plus via Salesforce Express Connect . . . . . . . . . . . . . . . . 26
Government Cloud
Discover how Salesforce Government Cloud supports agencies engaged in emergency response, national
defense, and social and human services within a dedicated operating zone. The Government Cloud
operating zone meets stringent government standards. Its tailored compliance protocols, robust security
measures, and integration capabilities ensure data integrity, privacy, and adherence to compliance
requirements.
REQUIRED EDITIONS
Available in: Unlimited and Enterprise Editions
Designed exclusively for government agencies, Government Cloud enables agencies to customize
Salesforce products and services to securely manage their day-to-day operations. Customize your
Salesforce experience by picking the products and features your agency wants to use. Government Cloud
runs on dedicated servers that are designed to accommodate government data and comply with a wide
array of security, privacy, and risk management requirements. Salesforce delivers this experience in an
environment dedicated to government users and contractors.
In the United States, the authorization process begins with the National Institute of Standards and
Technology (NIST) Risk Management Framework (RMF). The RMF is a process that identifies and
minimizes supply-chain risks and ensures security and privacy in information systems and technology.
Government agencies build on this process to identify specific compliance requirements. A compliance
baseline is a minimum security requirement for government entities, such as the Federal Risk and
Authorization Management Program (FedRAMP®) High or the Department of Defense (DoD) Impact
Level (IL) 5.
Every government agency has unique requirements for digital tools and workflows. For that reason, you
can customize your Government Cloud installation to create a solution that addresses your specific
needs. Government Cloud products are available to all United States local, state, federal, and tribal
agencies or companies who are required to meet United States government security and compliance
requirements.
Government Cloud Offerings
Government Cloud Plus and Government Cloud Plus - Defense environments are secure instances of
Customer 360. Both products comply with United States-mandated security and compliance regulations.
Government Cloud Plus provides a FedRAMP High and DoD IL4 authorized government cloud platform.
Government Cloud Plus - Defense uses a physically dedicated and isolated infrastructure for the DoD
that includes security enhancements for handling DoD IL5 data.
1
Government Cloud
A FedRAMP-approved third-party organization (3PAO) conducts annual security assessments of
Government Cloud. These assessments adhere to NIST Special Publication 800-53A, Assessing Security
and Privacy Controls in Federal and Information Systems and Organizations, as well as FedRAMP and
DoD requirements. Security assessment testing determines the adequacy of the security controls that
Salesforce uses to protect the confidentiality, integrity, and availability of Government Cloud Plus and
Government Cloud Plus - Defense. This testing includes assessing the security of the customer data that
Salesforce stores, transmits, and processes.
Products available in Government Cloud Plus and Hyperforce
Government Cloud Authorization Boundary
Designed for mission impact customers, Government Cloud Plus and Government Cloud Plus - Defense
environments are secure instances of Customer 360. Government Cloud and Government Cloud Plus Defense include industry-leading solutions designed with FedRAMP compliance in mind.
Government Cloud defines an authorization boundary as an architectural element. An authorized
boundary is a logical barrier of all components and services within an operating zone. An authorized
2
Government Cloud
boundary outlines the scope of Government Cloud, specifying its interactions with external systems and
services beyond the boundary.
Get Started with Government Cloud
Government Cloud transforms the delivery of government services by using flexible tools to handle
secure data and workloads. Salesforce follows strict compliance requirements to implement dedicated
environments that meet government customers’ compliance obligations. Products in Government
Cloud environments are authorized against one or more public sector compliance baselines.
Government agencies can tailor their compliance baseline to meet their needs. Salesforce has created
a baseline that’s inclusive of all frameworks and controls we support.
What’s Included in Government Cloud
Learn what’s available for agencies using Government Cloud. Explore included services, compliance
considerations, and data protection protocols. Transform your agency’s implementation of
Government Cloud with a custom selection of products and features.
Compliance for Government Cloud
Comply with Federal Risk and Authorization Management Program (FedRAMP) regulations by using
Salesforce Government Cloud.
Using AppExchange with Government Cloud
Scale your Government Cloud org with AppExchange. Ensure compliance and boost your agency’s
efficiency with a wide range of specialized applications. Discover, install, and use third-party
applications that enhance and extend the functionality of Government Cloud.
Education Cloud for Government Cloud
Make sure your institution meets federal and state compliance requirements with Education Cloud for
Government Cloud. Streamline processes such as scheduling, admissions, and student support to help
improve efficiency and reduce costs. Choose the right Education Cloud features to serve students,
educators, and administrators of higher education, with compliance in mind.
Field Service for Government Cloud
Manage your government mobile workforce, scheduling, and dispatching process while meeting
compliance and security requirements. The Field Service desktop site and mobile app lets agencies
enhance constituent-based service delivery and customer satisfaction by providing timely and
personalized on-demand services on Android, iOS, and offline.
Content Delivery Networks for Government Cloud
Get fast and reliable access to Salesforce resources with a content delivery network (CDN), a system of
distributed servers. CDNs deliver web content and digital resources based on users' geographic
locations.
Messaging for In-App and Web in Government Cloud
Messaging for In-App and Web provides users with a personalized experience of messaging from their
mobile app or website to the Service Console. The asynchronous messaging experience allows agents
and customers to start and stop communication at their own pace.
Private Connect in Salesforce Government Cloud Plus
Use Government Cloud Plus and Amazon Web Services (AWS) to securely route traffic via internal
connections instead of using the public internet. Salesforce Private Connect is a FedRAMP-High and
DoD Impact Level 5-authorized Salesforce product built on AWS PrivateLink.
3
Government Cloud
Connect to Government Cloud Plus via Salesforce Express Connect
Boost performance by using Salesforce Express Connect. Securely route your data for Government
Cloud Plus orgs by establishing a direct, private connection from your data center to Salesforce
infrastructure.
See Also
What’s Included in Government Cloud
Accessing Government Cloud Compliance Documentation
4
Government Cloud
Get Started with Government Cloud
Get Started with Government Cloud
Government Cloud transforms the delivery of government services by using flexible tools to handle
secure data and workloads. Salesforce follows strict compliance requirements to implement dedicated
environments that meet government customers’ compliance obligations. Products in Government Cloud
environments are authorized against one or more public sector compliance baselines. Government
agencies can tailor their compliance baseline to meet their needs. Salesforce has created a baseline
that’s inclusive of all frameworks and controls we support.
Get Oriented
Government Cloud
What's Included in Government
Cloud
Accessing Government Cloud
Compliance Documentation
Compliance for Government
Cloud
Dive In: Learn About
Recommended Core Features
Using AppExchange with
Government Cloud
Considerations and Limitations
for Installing Government Cloud
Packages and AppExchange
Apps
Go Deeper: Learn About
Features for Specific Business
Needs
Encryption and Compliance for
Government Cloud
Connect to Government Cloud
Plus via Salesforce Express
Connect
What’s Included in Government Cloud
Learn what’s available for agencies using Government Cloud. Explore included services, compliance
considerations, and data protection protocols. Transform your agency’s implementation of Government
Cloud with a custom selection of products and features.
REQUIRED EDITIONS
Available in: Unlimited and Enterprise Editions
5
Government Cloud
What’s Included in Government Cloud
Government Cloud uses Salesforce core functionality and lets users customize their experience. As you
develop your solution, select the right products and features to accomplish your compliance
requirements. When you’re designing your solution, it’s important to understand the differences of
authorized and interoperable products in Government Cloud.
Note Due to differences in accreditations, you can choose to accept the risks of using products that
haven’t met the same accreditation standards.
Authorized Versus Interoperable Products
All Salesforce products and features are classified as authorized or interoperable.
Authorized
Products that are included within the Federal Risk and Authorization Management Program
(FedRAMP) Moderate, FedRAMP High, Department of Defense (DoD) Impact Level (IL) 2, IL4,
and IL5 authorization boundaries.
Interoperable
Products have undergone functional testing within a Government Cloud instance to ensure all
functionality works intended. Products don’t always meet FedRAMP or DoD security and
authorization boundary requirements. The product hasn’t been evaluated and assessed in
accordance with FedRAMP or DoD security and authorization boundary requirements.
Customers can make a risk-based decision and take on any risk due to the product not being
FedRAMP authorized.
Interoperability can be blocked or adversely impacted by network access limitations for United
States government customers on restricted access networks such as the Non-Classified Internet
Protocol Routing Network (NIPRNet) or other restricted enclaves. You’re responsible for
following safe software deployment and testing the functionality of interoperable products in a
nonproduction environment.
Note The information is strictly for the convenience of our customers and is for general
informational purposes only. Salesforce doesn’t warrant the accuracy or completeness of any
information, text, graphics, links, or other items in this document. Salesforce advises its customers
that though a product is included within the FedRAMP Moderate, FedRAMP High, DoD IL2, or DoD
IL4 Authorization Boundaries. Specific features may or may not be included within such boundaries.
Salesforce doesn’t guarantee that you achieve any specific results if you use this document. It may
be advisable for you to consult with a professional, such as an agency authorization official, agency
counsel, accountant, architect, business advisor or professional engineer to get specific advice that
applies to your particular situation. This document is subject to change at any time without notice.
Because Salesforce continues to innovate by providing each customer multiple major release
upgrades each year, we can’t guarantee that these answers will remain the same over time. The
rights and responsibilities with regard to your use of Salesforce's online software services shall be set
forth in a negotiated agreement that doesn’t incorporate the attached document.
6
Government Cloud
Compliance for Government Cloud
See Also
Government Cloud Available Products and Features
Compliance for Government Cloud
Comply with Federal Risk and Authorization Management Program (FedRAMP) regulations by using
Salesforce Government Cloud.
REQUIRED EDITIONS
Available in: Unlimited and Enterprise Editions
Compliance for United States government agencies involves strict security measures, such as encryption,
access controls, and regular audits. Compliance ensures the confidentiality, integrity, and availability of
data stored in the cloud.
As governments adopt cloud technologies to store and manage their data, Salesforce provides
compliance with various security and privacy standards. As the primary compliance framework for
computing systems, FedRAMP provides a standardized approach to security assessment, authorization,
and continuous monitoring for cloud service providers (CSPs) serving federal agencies.
CSPs undergo rigorous security assessments to obtain FedRAMP authorization to offer their services to
government agencies. By adhering to these standards, Government Cloud mitigates risks and maintains
trust in their handling of sensitive information.
Government Cloud handles the critical aspects of modernizing government infrastructure while
safeguarding sensitive data and maintaining public trust.
Compliance by Operating Zone
This baseline set of compliance standards enables the sharing of data, operations, and the use of
Salesforce by government defense entities and contractors.
Salesforce Government Cloud Plus:
• FedRAMP High Provisional Authority to Operate (P-ATO) from the FedRAMP Board
• Department of Defense (DoD) Impact Level (IL) 4 Provisional Authority (PA), Internal Revenue Service
•
(IRS) 1075
National Institute of Standards and Technology (NIST) Special Publications (SP) 800-171 attestations
Salesforce Government Cloud Plus - Defense:
• FedRAMP High P-ATO from the FedRAMP Board
• DoD IL5 PA, IRS 1075
• NIST SP 800-171 attestations
7
Government Cloud
Compliance for Government Cloud
Accessing Government Cloud Compliance Documentation
Access documentation to help you protect your data in Government Cloud Plus.
Encryption and Compliance for Government Cloud
Learn how to strike a balance between encryption limits, Salesforce functionality, and compliance
requirements. Give your users the power to interact with data in a meaningful way while staying
Federal Information Processing Standard (FIPS) compliant.
Customer Data Information Spillage
Understand the importance of preventing the unintended exposure of customer data in Government
Cloud. Learn the compliance requirements for safeguarding customer data, while maintaining security
and compliance.
Mitigate Information Spillage
Protect the integrity of your Salesforce org’s data by mitigating any issues caused by information
spillage.
See Also
Accessing Government Cloud Compliance Documentation
Encryption and Compliance for Government Cloud
Accessing Government Cloud Compliance Documentation
Access documentation to help you protect your data in Government Cloud Plus.
REQUIRED EDITIONS
Available in: Unlimited and Enterprise Editions
Compliance documentation related to Salesforce Government Cloud Plus is proprietary and confidential
information. Eligible organizations are granted documentation access, which includes Federal Risk and
Authorization Management Program (FedRAMP) and Department of Defense (DoD) authorization
packages. Salesforce Government Cloud Plus documentation includes additional security measures to
uphold the confidentiality and integrity of the contents. If you have access to Government Cloud
documentation, you are prohibited from copying, pasting, or reproducing any content. Because the
content is sensitive, you must reference source materials rather than specific portions of the
documentation.
Government Cloud Plus compliance documentation is accessible from a secure portal. After individual
access is granted, Salesforce notifies you via email.
Use this URL to access the secure documentation portal:
https://publicsector-compliance-us.my.salesforce.com/
Accessing Documentation for US Federal Government Organizations
Learn how to securely access Federal Risk and Authorization Management Program (FedRAMP)
documentation.
8
Government Cloud
Compliance for Government Cloud
Accessing Documentation for Other Agencies
Learn how to work with your Salesforce account executive to access compliance documentation.
See Also
Accessing Documentation for US Federal Government Organizations
Accessing Documentation for Other Agencies
Accessing Documentation for US Federal Government Organizations
Learn how to securely access Federal Risk and Authorization Management Program (FedRAMP)
documentation.
REQUIRED EDITIONS
Available in: Unlimited and Enterprise Editions
FedRAMP provides a standardized approach to security authorizations. United States federal government
organizations must follow the established FedRAMP process for obtaining access to all Government
Cloud Plus compliance documentation. If you’re a Department of Defense (DoD) organization, use an
.mil email address or append DoD to the package name to access documentation.
1. Download the FedRAMP Package Access Request Form.
2. Complete the package request form.
a. Enter the package name: Salesforce Government Cloud Plus
b. Enter the package ID: FR2003061248
3. Complete and submit the form.
See Also
Accessing Government Cloud Compliance Documentation
Accessing Documentation for Other Agencies
Accessing Documentation for Other Agencies
Learn how to work with your Salesforce account executive to access compliance documentation.
REQUIRED EDITIONS
Available in: Unlimited and Enterprise Editions
United States government contractors, federally funded research and development centers (FFRDCs),
state and local governments, Salesforce implementation partners, and other eligible agencies can access
relevant Government Cloud Plus compliance documentation.
1. Contact your Salesforce account executive and request compliance documentation.
2. After access is granted to the secure hosted portal, complete the non-disclosure agreement (NDA).
9
Government Cloud
Compliance for Government Cloud
3. Access to documentation is granted after you sign the NDA.
See Also
Accessing Government Cloud Compliance Documentation
Accessing Documentation for US Federal Government Organizations
Encryption and Compliance for Government Cloud
Learn how to strike a balance between encryption limits, Salesforce functionality, and compliance
requirements. Give your users the power to interact with data in a meaningful way while staying Federal
Information Processing Standard (FIPS) compliant.
REQUIRED EDITIONS
Available in: Unlimited and Enterprise Editions
Salesforce Shield is a trio of security tools that builds extra levels of trust, compliance, and governance
into your business-critical apps. It includes Salesforce Shield Platform Encryption, Event Monitoring, and
Field Audit Trail. Salesforce Shield provides an additional layer of data protection with Government
Cloud. By default, Shield Platform Encryption implements FIPS 140 validated encryption at rest at the
volume level.
Salesforce gives you control over what fields and files you encrypt. Shield Platform Encryption uses
strong, probabilistic encryption by default on data stored at rest. Shield Platform Encryption uses the
FIPS-validated Advanced Encryption Standard (AES) with 256-bit keys that use cipher block chain (CBC)
mode and random initialization vector.
Data Encryption Versus Functionality
Encrypting data at rest can be difficult when you’re trying to preserve Salesforce functionality. To improve
Salesforce functionality while encrypting data at rest, use a static initialization vector instead of a random
initialization vector. Static initialization vector, also known as deterministic encryption, isn’t FIPSvalidated.
If you have concerns or questions after you review your Salesforce configuration, work with a partner or
Salesforce Customer Support. Together you can assess the risk of deterministic encryption and, if
applicable, the functional impact of switching to probabilistic encryption.
See Also
Salesforce Shield
Filter Encrypted Data with Deterministic Encryption
Considerations for Using Deterministic Encryption
10
Government Cloud
Compliance for Government Cloud
Customer Data Information Spillage
Understand the importance of preventing the unintended exposure of customer data in Government
Cloud. Learn the compliance requirements for safeguarding customer data, while maintaining security
and compliance.
REQUIRED EDITIONS
Available in: Unlimited and Enterprise Editions
Information spillage is the unintended exposure of sensitive data either from: (1) a classified information
system to an unclassified information system; or (2) a higher classification or protection level to a lower
classification or protection level environment.
To safeguard government data, the Federal Risk and Authorization Management Program (FedRAMP)
and the Department of Defense (DoD) enforce security standards for cloud services that U.S. federal
agencies use. Immediate response actions include containment, eradication, and notification of
authorities, along with efforts to prevent future spillages.
In Salesforce, spillage occurs when a user enters sensitive data into a field or uploads a file to Salesforce
that exceeds the current system authorization level. If a spillage occurs, the customer is responsible for
the remediation actions. Avoid including, collecting, processing, or storing data that exceeds the current
authorization level of the cloud environment where your Salesforce instance is hosted.
Shield Platform Encryption mitigates spillage by ensuring that the data that's associated with potential
information spills is unrecoverable from Salesforce-managed backups.
See Also
Accessing Government Cloud Compliance Documentation
Delete Unwanted Data in an Organization
Mitigate Information Spillage
Protect the integrity of your Salesforce org’s data by mitigating any issues caused by information spillage.
REQUIRED EDITIONS
Prerequisites: Administrators and users with Modify All Data permissions determine if access to certain
fields should be restricted while the information spillage cleanup is underway.
Available in: Unlimited and Enterprise Editions
USER PERMISSION NEEDED
To empty the recycle bin
Modify All Data user permission is required
11
Government Cloud
Using AppExchange with Government Cloud
USER PERMISSION NEEDED
To generate, destroy, export, import, upload, and
configure tenant secrets and customer-supplied
key material
Manage Encryption Keys
A timely response to customer data information spillage is critical to reduce the impact of the spillage.
Customers must first delete any data exposed by the spillage, and then take the steps to permanently
delete that data from Salesforce.
Note Salesforce isn't able to assess, determine, or confirm the types of data that customers
authorize for storage. As such, Salesforce can’t provide direct data management support.
After an information spillage is identified, it’s your responsibility to delete all data related to the
information spillage from your org.
1.
2.
3.
4.
5.
Delete exposed data via UI or API.
Open your recyle bin.
Select the items you want to permanently delete from the recycle bin. Click delete.
To permanently delete all items in the org recycle bin, click empty org recycle bin.
Request a physical delete of the data. Create a support case.
Note Customers using Shield Platform Encryption to encrypt the relevant data can choose to
perform a cryptographic erase by destroying their encryption key material, which renders the data
inaccessible and unusable. Caution must be taken with this approach to minimize data loss.
See Also
Using Data Loader: Inserting, Updating, or Deleting Data with Data Loader
Delete Unwanted Data in an Organization
Using AppExchange with Government Cloud
Scale your Government Cloud org with AppExchange. Ensure compliance and boost your agency’s
efficiency with a wide range of specialized applications. Discover, install, and use third-party applications
that enhance and extend the functionality of Government Cloud.
REQUIRED EDITIONS
Available in: Unlimited and Enterprise Editions
AppExchange is a marketplace for packaged configurations called apps. AppExchange apps pass an
initial security review before they’re offered for use. An independent software vendor (ISV) initiates this
review by submitting the app to Salesforce, and this review is distinct from any specific requirement
imposed by the United States government. Compatible apps indicate Compatible With Government
12
Government Cloud
Using AppExchange with Government Cloud
Cloud in the description.
Some apps have independently acquired Federal Risk and Authorization Management Program
(FedRAMP) authorizations. However, AppExchange and the apps listed on it aren’t included within the
authorization boundaries of Salesforce Government Cloud Plus or Government Cloud Plus - Defense.
The United States government compliance frameworks, including FedRAMP and US Department of
Defense (DoD) authorizations, don’t include apps from AppExchange. Salesforce offers two relevant
filters within the AppExchange search functionality to help United States government organizations find
ready-to-use apps.
Considerations and Limitations for Installing Government Cloud Packages and AppExchange Apps
Review essential guidelines before installing packages and AppExchange apps in Government Cloud.
Learn how to filter for packages and apps for government agencies while addressing compliance and
security considerations.
Compliance of AppExchange Apps for Government Cloud
Ensure compliance with government regulations and security standards while accessing applications
on AppExchange. Review the controls used to assess Salesforce native apps, which guarantee data
integrity, privacy, and adherence to stringent compliance requirements.
Filter for Government Cloud Apps in AppExchange
Locate AppExchange apps that are compatible with Government Cloud Plus and Government Cloud
Plus - Defense.
Filter for FedRAMP Compliant Applications
Locate apps that are Federal Risk and Authorization Management Program (FedRAMP) compliant and
compatible with Government Cloud Plus and Government Cloud Plus - Defense.
Filter for Native Apps in AppExchange
Locate apps that are native to Salesforce and compatible with Government Cloud Plus and
Government Cloud Plus - Defense.
See Also
Filter for Government Cloud Apps in AppExchange
Filter for FedRAMP Compliant Applications
Filter for Native Apps in AppExchange
Considerations and Limitations for Installing Government Cloud
Packages and AppExchange Apps
Review essential guidelines before installing packages and AppExchange apps in Government Cloud.
Learn how to filter for packages and apps for government agencies while addressing compliance and
security considerations.
REQUIRED EDITIONS
Available in: Unlimited and Enterprise Editions
13
Government Cloud
Using AppExchange with Government Cloud
A managed package is a container that includes the components of a Salesforce application, and it’s a
mechanism for installing apps in Salesforce. Unmanaged packages can be used to distribute open-source
projects to developers or as a one-time drop of applications that require customization after installation.
When installing managed or unmanaged packages in Government Cloud, consider the location of the
package subscriber org.
Considerations for Installation
• All managed and unmanaged packages in Government Cloud are supported when the package
•
•
subscriber is located in Government Cloud.
Managed and unmanaged packages in Government Cloud are unsupported when the package
subscriber org is outside Government Cloud.
We recommend customers engage with a third-party assessment organization (3PAO) or their internal
risk management organization to determine the controls relevant to a native app.
Limitations for Salesforce Partners
The License Management App (LMA) manages licenses for your AppExchange solutions. Some
limitations to the LMA in Government Cloud apply.
• Partner support access isn’t supported for the LMA within Government Cloud.
• Partners can’t update the license of a Government Cloud subscriber org from an LMA outside of
Government Cloud.
See Also
Using AppExchange with Government Cloud
Compliance of AppExchange Apps for Government Cloud
Ensure compliance with government regulations and security standards while accessing applications on
AppExchange. Review the controls used to assess Salesforce native apps, which guarantee data integrity,
privacy, and adherence to stringent compliance requirements.
REQUIRED EDITIONS
Available in: Unlimited and Enterprise Editions
AppExchange Compliance
Before we list an app on AppExchange, Salesforce mandates rigorous adherence to our comprehensive
security review processes. Stringent measures are established and consistently maintained for apps
available to Government Cloud users. Compliance standards are especially important for apps designed
specifically for Government Cloud. These standards play a critical role in upholding the data security and
fulfilling the regulatory requirements that are vital to Government Cloud.
14
Government Cloud
Using AppExchange with Government Cloud
Compliance Control Enhancements
Before you install an app on your Salesforce Government Cloud org, ensure that the app meets your
organizational requirements. Work with your Authorizing Official (AO) to verify the appropriate list of
controls for your organization. If you’re a United States government agency, you must verify with their AO
the appropriate list of controls that meet organizational requirements for single-tenant apps deployed to
a Federal Risk and Authorization Management Program (FedRAMP) and Department of Defense (DoD)
compliant platform as a service (PaaS).
The FedRAMP Third-Party Assessment Organization (3PAO) used for Salesforce Government Cloud
recommends specific controls for assessing Salesforce native apps against the FedRAMP Moderate
control baseline, which you can reference at: https://nvd.nist.gov/800-53. FedRAMP provides a catalog
of controls for systems and organizations to manage information security and privacy risk.
This list of controls outlines the baseline requirements for service providers to maintain secure cloud
services.
Awareness Response Training
• AT-2 - SECURITY AWARENESS TRAINING
• AT-2 (2) - SECURITY AWARENESS TRAINING | INSIDER THREAT
• AT-3 - ROLE-BASED SECURITY TRAINING
• AT-4 - SECURITY TRAINING RECORDS
Incident Response Training
• IR-2 - INCIDENT RESPONSE TRAINING
• IR-3 - INCIDENT RESPONSE TESTING
• IR-3 (2) - INCIDENT RESPONSE TESTING | COORDINATION WITH RELATED PLANS
• IR-4 - INCIDENT HANDLING
• IR-4 (1) - INCIDENT HANDLING | AUTOMATED INCIDENT HANDLING PROCESSES
• IR-5 - INCIDENT MONITORING
• IR-6 - INCIDENT REPORTING
• IR-6 (1) - INCIDENT REPORTING | AUTOMATED REPORTING
• IR-7 - INCIDENT RESPONSE ASSISTANCE
• IR-7 (1) - INCIDENT RESPONSE ASSISTANCE | AUTOMATION SUPPORT FOR AVAILABILITY OF
INFORMATION / SUPPORT
• IR-7 (2) - INCIDENT RESPONSE ASSISTANCE | COORDINATION WITH EXTERNAL PROVIDERS
• IR-8- INCIDENT RESPONSE PLAN
• IR-9 - INFORMATION SPILLAGE RESPONSE
• IR-9 (1) - INFORMATION SPILLAGE RESPONSE | RESPONSIBLE PERSONNEL
• IR-9 (2) - INFORMATION SPILLAGE RESPONSE | TRAINING
• IR-9 (3) - INFORMATION SPILLAGE RESPONSE | POST-SPILL OPERATIONS
• IR-9 (4) - INFORMATION SPILLAGE RESPONSE | EXPOSURE TO UNAUTHORIZED PERSONNEL
15
Government Cloud
Using AppExchange with Government Cloud
Position Risk Designation
• PS-2 - POSITION RISK DESIGNATION
• PS-3 - PERSONNEL SCREENING
• PS-3 (3) - PERSONNEL SCREENING | INFORMATION WITH SPECIAL PROTECTION MEASURES
• PS-4 - PERSONNEL TERMINATION
• PS-5 - PERSONNEL TRANSFER
• PS-6 - ACCESS AGREEMENTS
• PS-7 - THIRD-PARTY PERSONNEL SECURITY
• PS-8 - PERSONNEL SANCTIONS
System Development Life Cycle Designation
• SA-3 - SYSTEM DEVELOPMENT LIFE CYCLE
• SA-5 - INFORMATION SYSTEM DOCUMENTATION
• SA-8 - SECURITY ENGINEERING PRINCIPLES
• SA-10 - DEVELOPER CONFIGURATION MANAGEMENT
• SA-10 (1) - DEVELOPER CONFIGURATION MANAGEMENT | SOFTWARE / FIRMWARE INTEGRITY
•
•
•
•
VERIFICATION
SA-11 - DEVELOPER SECURITY TESTING AND EVALUATION
SA-11 (1) - DEVELOPER SECURITY TESTING AND EVALUATION | STATIC CODE ANALYSIS
SA-11 (2) - DEVELOPER SECURITY TESTING AND EVALUATION | THREAT AND VULNERABILITY
ANALYSES
SA-11 (8) - DEVELOPER SECURITY TESTING AND EVALUATION | DYNAMIC CODE ANALYSIS
Flaw Remediation Designation
• SI-2 - FLAW REMEDIATION
• SI-2 (2) - FLAW REMEDIATION | AUTOMATED FLAW REMEDIATION STATUS
• SI-2 (3) - FLAW REMEDIATION | TIME TO REMEDIATE FLAWS / BENCHMARKS FOR CORRECTIVE
•
•
ACTIONS
SI-10 - INFORMATION INPUT VALIDATION
SI-11 - ERROR HANDLING
See Also
Considerations and Limitations for Installing Government Cloud Packages and AppExchange Apps
Filter for Government Cloud Apps in AppExchange
Locate AppExchange apps that are compatible with Government Cloud Plus and Government Cloud Plus
- Defense.
16
Government Cloud
Using AppExchange with Government Cloud
REQUIRED EDITIONS
Available in: Unlimited and Enterprise Editions
1.
2.
3.
4.
Go to AppExchange.
Select Solutions by Type and then Apps.
Under Clouds and Features, select Government Cloud.
Select Apply Filters.
Important
• Salesforce makes no compliance or interoperability claims associated with these apps. The
•
independent software vendor (ISV) has only confirmed and reported that their app can be
installed and successfully used in the Salesforce Government Cloud Plus and Government Cloud
Plus - Defense environments.
An app that isn’t indicated as compatible with Government Cloud can work with the Government
Cloud Plus and Government Cloud Plus - Defense environments but likely hasn’t been tested or
reported by the ISV. In these cases, we encourage you to inquire with the ISV.
See Also
Filter for FedRAMP Compliant Applications
Filter for Native Apps in AppExchange
Filter for FedRAMP Compliant Applications
Locate apps that are Federal Risk and Authorization Management Program (FedRAMP) compliant and
compatible with Government Cloud Plus and Government Cloud Plus - Defense.
REQUIRED EDITIONS
Available in: Unlimited and Enterprise Editions
Only services that are multi-tenant or multi-instance are eligible for a FedRAMP or Department of
Defense (DoD) provisional authorization. The label FedRAMP Compliant is self-reported by an
independent software vendor (ISV). Under most circumstances, native apps aren’t included, as they’re
likely not eligible for FedRAMP or DoD provisional authorization.
1.
2.
3.
4.
Go to AppExchange.
Select Solutions by Type and then Apps.
Under Other Filters, select FedRAMP Compliant.
Select Apply Filters.
Note All FedRAMP compliant apps can be cross-referenced with listings on the FedRAMP
Marketplace or the DoD Cloud Catalog. While Salesforce consults these sources initially, Salesforce
17
Government Cloud
Education Cloud for Government Cloud
doesn’t verify the ongoing status of an ISV's FedRAMP authorization. Therefore, we recommend you
independently verify the FedRAMP status.
See Also
Filter for Government Cloud Apps in AppExchange
Filter for Native Apps in AppExchange
Filter for Native Apps in AppExchange
Locate apps that are native to Salesforce and compatible with Government Cloud Plus and Government
Cloud Plus - Defense.
REQUIRED EDITIONS
Available in: Unlimited and Enterprise Editions
The Native App label indicates an app is built 100% on the Salesforce platform. Third parties don’t
process customer data used in native apps, and Salesforce doesn’t share data used by native apps
outside the Government Cloud physical boundary.
1.
2.
3.
4.
Go to AppExchange.
Select Solutions by Type and then Apps.
Under Other Filters, select Native.
Select Apply Filters.
Note Since this label is self-reported by an ISV, Salesforce has no responsibility as to the accuracy
therein. Therefore, you can verify with the ISV that customer data doesn’t leave or use components
outside the Salesforce Government Cloud Plus or Government Cloud Plus - Defense physical
boundaries. Additionally, there are instances when an app may be native, but external callouts exist
to third-party services. An example of an external callout is the use of AWS for geolocation data with
Salesforce Maps. If the app does make external callouts and/or receives data from external sites,
verify that its package install process includes a screen listing those specific sites, which must be
approved by your Salesforce admin.
See Also
Filter for Government Cloud Apps in AppExchange
Filter for FedRAMP Compliant Applications
Education Cloud for Government Cloud
Make sure your institution meets federal and state compliance requirements with Education Cloud for
Government Cloud. Streamline processes such as scheduling, admissions, and student support to help
improve efficiency and reduce costs. Choose the right Education Cloud features to serve students,
educators, and administrators of higher education, with compliance in mind.
18
Government Cloud
Education Cloud for Government Cloud
REQUIRED EDITIONS
Available in: Unlimited and Enterprise Editions
Education Cloud is FedRAMP-High, Department of Defense (DoD) Impact Level (IL) 4 and IL5
authorized. Federal and DoD post-secondary institutions and state agencies that must use FedRAMP or
DoD-authorized technology can leverage Education Cloud in Government Cloud Plus and Government
Cloud Plus - Defense to help meet compliance needs.
Note State agencies in Texas are subject to TX-RAMP requirements. Government Cloud Plus is
FedRAMP authorized and satisfies TX-RAMP requirements based on its FedRAMP authorization.
Considerations for Education Cloud Compliance in Government Cloud
Before you use Education Cloud for Government Cloud, review features such as CRM Analytics, Virtual
Calls, and approved products.
See Also
Education Cloud
Virtual Calls
Considerations for Education Cloud Compliance in Government
Cloud
Before you use Education Cloud for Government Cloud, review features such as CRM Analytics, Virtual
Calls, and approved products.
CRM Analytics for Education Cloud
You must purchase the No-Third-Party Terms version of this product to make sure that data remains
within the authorization boundary.
Virtual Calls
Virtual Calls use Amazon Chime, an Amazon Web Services (AWS) cloud-based telephony service. Amazon
Chime is located in the AWS East and West regions. Telephony services in those regions are outside of
Salesforce's authorization boundary. You can make a risk-informed decision whether to use Virtual Calls.
Education Cloud Products Approved by Authorized Officials (AO)
Note The information provided below is strictly for the convenience of our customers and is for
general informational purposes only. Salesforce does not warrant the accuracy or completeness of
any information, text, graphics, links, or other items in this document. Salesforce advises its
19
Government Cloud
Education Cloud for Government Cloud
customers that though a product may be included within the FedRAMP High, DoD IL4, or DoD IL5
Authorization Boundaries, specific features of such product may or may not be included within such
boundaries. Salesforce does not guarantee that you will achieve any specific results if you utilize this
document. It may be advisable for you to consult with a professional, such as an agency
authorization official, agency counsel, accountant, architect, business advisor or professional
engineer to get specific advice that applies to your particular situation. This document is subject to
change at any time without notice. Because Salesforce continues to innovate by providing each
customer multiple major release upgrades each year, we cannot guarantee that these answers will
remain the same over time. The rights and responsibilities with regard to your use of Salesforce's
online software services shall be set forth in a negotiated agreement that does not incorporate the
attached document.
Product/Feature
Authorized
Interoperable
Education Cloud (Includes
Education Data Architecture)
✓
—
Experience Cloud for Learner
Success (Including Logins)
✓
—
Admissions Connect (Including
Sales; End of Sale (EOS) 2023)
✓
—
Student Success Hub (Including
K12, Part-time Staff, Part-time
Reviewer, & Salesforce Advisor
Link; (End of Sale (EOS) 2023)
✓
—
CRM Analytics for Education
Cloud (Not including third-party
terms)
✓
—
CRM Analytics for Education
Cloud (Including third-party
terms such as adding
intelligence features)
—
✓
Virtual Calls (Client Side)
—
✓
Document Generation
✓
—
See Also
Document Generation
Virtual Calls
20
Government Cloud
Field Service for Government Cloud
Field Service for Government Cloud
Manage your government mobile workforce, scheduling, and dispatching process while meeting
compliance and security requirements. The Field Service desktop site and mobile app lets agencies
enhance constituent-based service delivery and customer satisfaction by providing timely and
personalized on-demand services on Android, iOS, and offline.
REQUIRED EDITIONS
Available in: Unlimited and Enterprise Editions
The Government Cloud Field Service core features, managed package, and mobile app are available in
Unlimited and Enterprise Editions.
To access the Field Service mobile app, users need the Field Service Mobile user license.
Field Service lets you optimize and streamline your field operations, from scheduling and dispatching to
tracking and managing activities. With real-time visibility and intelligent automation, Field Service
ensures timely and efficient service delivery. Field Service integrates with many Salesforce products,
providing government agencies a unified platform for workforce collaboration with constituent
relationship management.
Foundations of Field Service Operations
Government Cloud Field Service operations are built upon several elements designed to optimize and
streamline management processes in the field.
• Customer experience: Field service lets you manage and communicate service requests with your
•
•
•
constituents by managing service requests via communication channels. Your constituents can access
self-service portals to view job statuses and service-related information.
Work and asset management: Field Service enables operational efficiency through work order
management, asset tracking, and preventive maintenance measures.
Schedule and dispatch: Field Service supports dispatching of operations with dynamic scheduling,
route optimization, and real-time visibility. This enables government agencies to proactively adjust
schedules and resource allocation for enhanced efficiency.
Mobile worker productivity: The Field Service mobile app supports your mobile workforce with realtime access to customer information, job details, and inventory, ensuring productivity with offline
capabilities and fostering efficient communication for problem solving.
Government Cloud Field Service Compliance
Learn about Field Service compliance for Government Cloud and Government Cloud Plus - Defense
users. Select the right Field Service features to mobilize your workforce with compliance and security
in mind.
Considerations and Limitations for Government Cloud Field Service Compliance
Before you use Field Service for Government Cloud, consider a few key points.
21
Government Cloud
Field Service for Government Cloud
See Also
Salesforce Field Service
Field Service Mobile App
Get to Know Field Service Personas
Government Cloud Field Service Compliance
Learn about Field Service compliance for Government Cloud and Government Cloud Plus - Defense
users. Select the right Field Service features to mobilize your workforce with compliance and security in
mind.
REQUIRED EDITIONS
Available in: Unlimited and Enterprise Editions
The Government Cloud Field Service core features, managed package, and mobile app are available in
Unlimited and Enterprise Editions.
To access the Field Service mobile app, users need the Field Service Mobile user license.
Field Service is approved for Federal Risk and Authorization Management Program (FedRAMP) High and
Department of Defense (DoD) Impact Level (IL) 5. Customers requiring connectivity to the DoD NonClassified Internet Protocol Router (NIPR) network must use Field Service in Government Cloud Plus Defense.
The Field Service mobile app operates within the FedRAMP authorization boundary, ensuring secure
access, control over sensitive data and functionality. Within this framework, your mobile workforce can
adhere to compliance standards, access customer information through mobile applications, letting them
deliver efficient service on-site. By enforcing strict authorization protocols, Field Service maintains data
integrity and confidentiality, fostering trust and compliance with regulatory requirements
See Also
Field Service for Government Cloud
Set Up Field Service
Considerations and Limitations for Government Cloud Field
Service Compliance
Before you use Field Service for Government Cloud, consider a few key points.
REQUIRED EDITIONS
Available in: Unlimited and Enterprise Editions
The Government Cloud Field Service core features, managed package, and mobile app are available in
22
Government Cloud
Content Delivery Networks for Government Cloud
Unlimited and Enterprise Editions.
To access the Field Service mobile app, users need the Field Service Mobile user license.
Dispatch Management
Dispatch management is authorized for Government Cloud Plus and Government Cloud Plus - Defense.
Dispatch management uses Google Maps for mapping capabilities, and this feature is off by default.
• For Government Cloud Plus, this feature is interoperable.
• For Government Cloud Plus - Defense, this feature isn’t available.
API calls from Salesforce to Google Maps are the authorization boundary of users of Field Service and are
off by default. Customers can turn on this feature within Field Service Settings. From Setup, in the Quick
Find box, enter and select Field Service Settings. Under Advanced Security Settings, select Send
geolocation and map data to Google and Apple.
Appointment Assistant
Appointment Assistant is an add-on feature for Government Cloud that helps mobile workers track
customers’ service experience. Appointment Assistant uses the Google Maps API to get the current
location of the customer and mobile worker.
• For Government Cloud Plus, this feature is interoperable.
• For Government Cloud Plus - Defense, this feature isn’t available.
Mobile Analytics
The Field Service mobile app sends analytics and crash report data to third-party systems that are outside
the authorization boundary. These settings are controlled by Advanced Security Settings.
Advanced Security Settings are turned off by default. Customers can turn on this feature within Field
Service Settings. From Setup, in the Quick Find box, enter and select Field Service Settings. Under
Advanced Security Settings, select Allow third parties to store mobile analytics data to enable mobile
analytics sharing, and select Send crash reports to Firebase.
See Also
Field Service for Government Cloud
Government Cloud Available Products and Features
Content Delivery Networks for Government Cloud
Get fast and reliable access to Salesforce resources with a content delivery network (CDN), a system of
distributed servers. CDNs deliver web content and digital resources based on users' geographic locations.
23
Government Cloud
Content Delivery Networks for Government Cloud
REQUIRED EDITIONS
Available in: Unlimited and Enterprise Editions
CDNs store content on nearby servers to reduce latency and optimize performance. Government Cloud
uses Akamai, a CDN provider authorized up to the FedRAMP-Moderate level. However, as Akamai CDN
servers operate outside of the Government Cloud Plus authorization boundary, CDNs are disabled by
default for all new sites created from Government Cloud orgs. Customers requiring CDN functionality
can choose between these CDN solutions to meet their mission needs:
• Enhanced Domains
• Lightning Experience (LEX) CDN
• Intelligent Content Delivery Network (iCDN)
• Bring Your Own Third-Party Service or CDN
Note By using this functionality, you accept the risks of your data being stored outside the
Government Cloud Plus authorization boundary. Bring Your Own Third-Party Service or CDN is the
only supported solution for salesforce.mil customers in the Government Cloud Plus – Defense
environment.
Enhanced Domains
Enhanced Domains require Akamai CDNs to access a public virtual IP address (VIP) to retrieve your
cached data. This data is stored outside the Government Cloud Plus authorization boundary.
Lightning Experience (LEX) CDN
Salesforce admins can improve the performance of their Salesforce sites with LEX CDN, which operates
on Akamai servers. LEX is similar to Enhanced Domains but uses publicly available VIPs to retrieve your
cached Lightning web component content.
Intelligent Content Delivery Network (iCDN)
Mission owners can use artificial intelligence (AI) and machine learning (ML) to optimize content delivery
of static resources through iCDN.
Bring Your Own Third-Party Service or CDN
Alternatively, Government Cloud Plus and Government Cloud Plus – Defense customers can set up a
third-party-hosted CDN to meet their content delivery requirements.
See Also
Content Delivery Networks (CDNs) and Salesforce
Use a Third-Party Service or CDN to Serve Your Custom Domain
24
Government Cloud
Messaging for In-App and Web in Government Cloud
Messaging for In-App and Web in Government Cloud
Messaging for In-App and Web provides users with a personalized experience of messaging from their
mobile app or website to the Service Console. The asynchronous messaging experience allows agents
and customers to start and stop communication at their own pace.
Messaging for In-App and Web includes features such as typing indicators, read receipts, rich content
support for menus and buttons, and the convenience of sending and receiving attachments within the
chat thread. With Messaging for In-App and Web, customers can send messages straight from the
mobile app or website to agents by using the Service Console, and can choose when and where to
engage with their end users. Messaging for In-App and Web elevates traditional chat interactions
through an interactive, asynchronous experience.
The FedRAMP-authorized version of Messaging for In-App and Web in Government Cloud Plus can’t be
used with Service Cloud Voice, Messaging, or Einstein Bots. Customers who use those products must use
the version of Messaging for In-App and Web service that is commercially available to the public.
To use Messaging for In-App and Web, confirm you’re in an instance where it's enabled and FedRAMPauthorized. If you aren't in an instance where the service is enabled, open a support ticket and request
your production and sandbox orgs be refreshed to instances with Messaging for In-App and Web
enabled.
If you're in an enabled instance and would like Messaging for In-App and Web activated, set up
Messaging for In-App and Web.
Note :Messaging for In-App and Web is available for customers in Salesforce Government Cloud
Plus only in instances USA9014, USA9016s, and USA9018s. Customers on other instances use the
commercial Messaging for In-App and Web service that isn't within our compliance boundary.
See Also
Add Flexibility and Power with Messaging for In-App and Web
Trailhead: Messaging for In-App and Web Optimization
Private Connect in Salesforce Government Cloud Plus
Use Government Cloud Plus and Amazon Web Services (AWS) to securely route traffic via internal
connections instead of using the public internet. Salesforce Private Connect is a FedRAMP-High and DoD
Impact Level 5-authorized Salesforce product built on AWS PrivateLink.
Note : Salesforce Government Cloud Plus runs in the AWS GovCloud-East region. Private Connect is
not available for Government Cloud Plus - Defense.
Configuring Salesforce Private Connect in Government Cloud Plus follows the same process as in
commercial environments. Connect your Government Cloud Plus orgs to Virtual Private Clouds (VPC)
25
Government Cloud
Connect to Government Cloud Plus via Salesforce Express Connect
only in the AWS GovCloud regions. Customers must have a presence in AWS GovCloud-East. If necessary,
customers can either migrate their AWS workload or set up a VPC in the AWS GovCloud-East region and
access it via peering. In Salesforce, customers must select the AWS GovCloud - East region.
See Also
Introducing Salesforce Private Connect
Using Private Connect to Securely Connect Salesforce and AWS
Secure Cross-Cloud Integrations with Private Connect
Connect to Government Cloud Plus via Salesforce Express
Connect
Boost performance by using Salesforce Express Connect. Securely route your data for Government Cloud
Plus orgs by establishing a direct, private connection from your data center to Salesforce infrastructure.
REQUIRED EDITIONS
Available in: Unlimited and Enterprise Editions
Salesforce Express Connect enables your business to access Salesforce applications directly without
going over the public internet. When using Salesforce Express Connect, traffic is routed directly from
your environment through a demilitarized zone (DMZ) network to Government Cloud Plus instances.
Government Cloud: Connectivity to the Internet and Salesforce Express Connect
Important Salesforce Express Connect isn’t applicable to Department of Defense (DoD) customers
using a .mil MyDomain. Because data traverses the Defense Information Systems Agency (DISA)
Boundary Cloud Access Point (BCAP), DoD customers are unable to use Salesforce Express Connect.
1. Configure routing for Government Cloud orgs by choosing the appropriate routes for inbound traffic.
a. Determine the instance your org is located on and accept the corresponding routes indicated for
each instance. View IP Addresses to Allow for Government Cloud Plus.
b. Depending on your Salesforce Express Connect subscription location, accept 136.146.76.72/29
26
Government Cloud
Connect to Government Cloud Plus via Salesforce Express Connect
route from Silicon Valley, CA; 136.146.77.72/29 route from Chicago, IL; or 136.146.78.72/29 route
from Ashburn, VA.
2. To restrict access based on IP ranges when using Salesforce Express Connect to access Government
Cloud Plus, submit a request to Salesforce Customer Support.
a. When you create a support case, include the Government Cloud Network Security team. The
support case provides the customer with the unique IP address ranges needed to allow access to
their org.
See Also
Salesforce Express Connect
Restrict Login IP Addresses in Profiles
How to Create a Case on Salesforce Help
Where is my Salesforce instance located?
27
Related documents
Weather Elements Summary Worksheet
Weather Elements Summary Worksheet
One of the lead activities assigned to ITU-T Study Group... presentation gives an overview on the ongoing work of Study... SG13 Activities and Achievements Related to Cloud Computing
One of the lead activities assigned to ITU-T Study Group... presentation gives an overview on the ongoing work of Study... SG13 Activities and Achievements Related to Cloud Computing
English Language: Importance & Value Worksheet
English Language: Importance & Value Worksheet
MIS Tutorial: Salesforce & Enterprise Applications
MIS Tutorial: Salesforce & Enterprise Applications
Download
advertisement