Compliance at CyberArk

CyberArk is committed to leading compliance and regulatory measures designed to ensure that our business is compliant and your data is safe.

Compliance program

CyberArk has obtained the following accreditations to provide independent assurance that our programs, products and services meet industry standards for security:

ISO 27001

International standard for managing information security. ISO details requirements for establishing, implementing, maintaining and continually improving an information security management system (ISMS).

SOC 2 Type 2

These reports help our customers and their auditors understand the controls CyberArk has established to support operations and compliance. CyberArk has achieved SOC 2 Type 2 certifications for many of our SaaS products.

CSA STAR Certification

Founded in 2013 by the Cloud Security Alliance, the Security Trust Assurance and Risk (STAR) registry encompasses key principles of transparency, rigorous auditing, and cloud security and privacy best practices.

CyberArk has earned the Trusted Cloud Provider trustmark from CSA, demonstrating CyberArk’s extended commitment to holistic security through training, education, and contributing to the community through volunteering and cloud security evangelism.

SOC 3 Reports

A public facing report demonstrating CyberArk has met the AICPA Trust Services Security, Availability, and Confidentiality Criteria.

View Reports

ISO 27017

ISO 27017:2015

International standard for managing information security for cloud services, supplementing guidance from the ISO 27001 standard with specific guidelines for security controls in a cloud environment.

ISO 27018

ISO 27018:2019

International standard for managing the security and privacy of Personally Identifiable Information (PII) within a cloud environment. This standard outlines how cloud service providers can assess risk and implement controls protecting PII.

WCAG 2.1 compliance

CyberArk is committed to following Web Content Accessibility Guidelines (WCAG) standards to ensure our products are accessible to all users. Our continuous efforts to uphold WCAG compliance demonstrate our dedication to inclusivity and ensuring equal access to information and services for everyone. For more information, please visit our PAM Self-Hosted documentation.

DoD Information Network Approved Product List (DoDIN APL)

CyberArk Privileged Access Manager Self-Hosted version 14.2 has been officially listed as a trusted solution for Department of Defense (DoD) customers. CyberArk PAM Self-Hosted version 14.2 can be found on the DoD Information Network Approved Product List (DoDIN APL), meeting specifications for the DoD. For more information, see DoDIN APL.

PAM Self-Hosted Receives Common Criteria NSCIB and NIAP Scheme Certifications

CyberArk PAM Self-Hosted main modules, Vault, PSM, PSMP, CPM and PVWA are Common Criteria certified for the Dutch Scheme (NSCIB) and the American Scheme (NIAP), supporting federal agencies.

The certification was done based on the tested operating systems, split into 3 packages: the Vault, the Win based components (PVWA, PSM, CPM) and the Linux based PSMP.

Certifications details can be found on the Common Criteria site and the NIAP site.

We are listed on the Trust CB site: https://trustcb.com/common-criteria/nscib/nscib-certificates/

FedRAMP High Authorization

CyberArk’s leading SaaS offerings, CyberArk Endpoint Privilege Manager and CyberArk Workforce Identity, achieve FedRAMP High Authorization, enhancing security for federal agencies in line with Zero Trust principles.

FIDO logo

FIDO2 Certification

CyberArk Workforce Identity has achieved FIDO2 certification by the FIDO Alliance. CyberArk continues to advance its offering to eliminate password-based authentication vulnerabilities and meet industry standards for secure, phishing-resistant sign-ins and device attestation. Through open standards and passkeys, FIDO offers stronger, more secure alternatives to passwords and SMS OTPs, significantly reducing the risk of credential theft.

CyberGRX

CyberGRX operates the world’s largest cyber risk exchange with over 250,000 participants. CyberArk participates in the CyberGRX Global Risk Exchange via an annual validated assessment. CyberArk customers can leverage our CyberGRX report to reduce their supplier due-diligence burden. CyberGRX assessments apply a dynamic and comprehensive approach to third party risk assessment, replacing outdated static spreadsheets as well as the need to repetitively request access to CyberArk’s assessment each year. The latest report can be accessed through CyberGRX’s Exchange Portal.

Cybergrx

Supply Chain Compliance

Supply chain security program

CyberArk policies are designed to ensure that engagements with third parties are, where applicable, subject to a review and approval process by CyberArk, continuously monitored, and required to comply with security requirements as a condition of their engagement.

Sub-Processors

Internal & external audit

CyberArk performs comprehensive security audits in partnership with leading audit firms on an annual basis. Additional risk-based internal audits are performed and reported to the Audit Committee as needed. All outputs are fed into a continuous improvement work plan which helps CyberArk continue sharpen our greater security program.

Internal and External Audit Compliance