Public Sector

Internal Revenue Service Publication 1075 (“IRS 1075”) sets standards for information security, guidelines, and agreements for protecting US government agencies and their agents that access federal tax information (FTI). While the IRS does not publish an official designation or certification for compliance with Pub 1075, Zscaler supports organizations to protect FTI managed on the Zscaler Platform by aligning our implementations of NIST 800-53 and FedRAMP security controls with the respective IRS Pub 1075 security requirements. Zscaler has worked closely with the IRS to ensure that our GovClouds (US) meet Pub 1075 requirements for storing and processing FTI.

Zscaler Internet Access (ZIA) and Zscaler Private Access (ZPA) are both JAB-High authorized. What’s more, ZIA is currently the only Secure Access Service Edge (SASE) Trusted Internet Connections (TIC) 3.0 solution that has achieved FedRAMP’s highest authorization.

Government agencies such as the DoD can leverage our market-leading zero trust platforms to take on the user experience and cost challenges of securing cloud-based application access for remote and hybrid users.

Zscaler Internet Access (ZIA) and Zscaler Private Access (ZPA) have maintained the FedRAMP Moderate level authorization since 2018, allowing federal agencies, DoD commands, and federal contractors to take full advantage of the Zscaler Zero Trust Exchange.

With ZIA and ZPA in hand, agencies can reap the benefits of zero trust security to reduce overhead, streamline operations, and lower costs.

Zscaler is compliant with the Federal Information Processing Standard (FIPS 140-2), meeting NIST requirements for cryptographic modules. View certificates #3154 for Zscaler Mobile Cryptographic Module, #3159 for Zscaler Crypto Module, and #3188 for Zscaler Java Crypto.

Zscaler Private Access (ZPA) has achieved a Provisional Authorization to Operate (P-ATO) at Impact Level 5 (IL5), as published in the Department of Defense Cloud Computing Security Requirements Guide (DoD CC SRG). This allows gov. agencies and their contractors to the Zscaler Zero Trust Exchange platform for systems that manage their most sensitive Controlled Unclassified Information (CUI) as well as unclassified National Security Systems (NSSs). Zscaler Internet Access (ZIA) has achieved Authorization to Operate (ATO) at Impact level 2 (IL2). The DoD’s Defense Innovation Unit (DIU) has selected Zscaler to prototype ZPA and ZIA as secure access technologies.

Zscaler maintains compliance with Criminal Justice Information Services, ensuring the protection of information as required by CJIS Security Policy.

In recognition and support of the “Electronic and Information Accessibility Standards” defined by Section 508 of the Rehabilitation Act, we publish accessibility self-assessments of Zscaler products using Voluntary Product Accessibility Templates (VPATs). Section 508 was enacted to eliminate barriers in information technology, to make new opportunities available for people with disabilities, and encourage the development of technologies that will help achieve these goals.

Zscaler completed the Trusted Internet Connection (TIC) 3.0 Overlay review with the Department of Homeland Security (DHS) as well as the Cybersecurity and Infrastructure Security Agency (CISA). TIC is a federal cybersecurity initiative intended to enhance network and perimeter security across the federal government. The goal of TIC 3.0 is to secure federal data, networks, and boundaries while providing visibility into agency traffic, including cloud communications.

National Institute of Standards and Technology (NIST) Special Publication 800-63C provides requirements to identity providers (IdPs) and relying parties (RPs) of federated identity systems. Federation allows a given IdP to provide authentication attributes and (optionally) subscriber attributes to a number of separately administered RPs through the use of assertions. Similarly, RPs may use more than one IdP.

The National Institute of Standards and Technology (NIST) 800-53 creates standards and guidelines pertaining to information security, that are generally applicable to US Federal Information Systems. Zscaler adheres to the NIST 800-53 ensuring sufficient protection of confidentiality, integrity, and availability of information and information systems.

The Texas Risk and Authorization Management Program (TX-RAMP) provides a standardized approach for security assessment, continuous monitoring, and authorization of third-party vendors that process the data of a state agency or public higher education institution in the State of Texas (agencies). Zscaler has achieved the TX-RAMP Level-2 authorization that enables Zscaler to operate with confidential/regulated data in moderate or high-impact systems.

StateRAMP is a cybersecurity program that addresses the needs of procurement and security officials with state and local governments (SLGs) in the United States. Zscaler Internet Access (ZIA) Moderate Cloud has achieved the StateRAMP Authorized status, demonstrating Zscaler’s commitment toward securing state and local government employees and data.

The SOC 2, Type II report provides independent validation that our security controls are in accordance with the American Institute of Certified Public Accountants’ applicable Trust Services Principles and Criteria. Read the full report.

Zscaler has achieved the ISO 27001 certificate, following the ISO/IEC 27002: 2013 best practice, attesting that our services are based on internationally recognized best practices for information security management and comprehensive security controls. Read the full report.

ISO/IEC 27018:2014 is a code of practice that focuses on protection of personal data in the cloud. Based on ISO/IEC information security standard 27002, it provides implementation guidance on ISO/IEC 27002 controls applicable to public cloud personally identifiable information (PII). Read the full report.