Security standards for Pega Cloud for Government

This article is part of the Pega Cloud for Government Subscription Documentation.

Pega and the client are both responsible for security in Pega Cloud for Government (PCFG):

• The Client is responsible for the security of, and access to, the client Application.
• Pegasystems is responsible for the security of the client environments at the infrastructure level. 

The Pegasystems Security Program outlined in the cloud agreement governs the infrastructure on which the client environment is built.

• This Pegasystems Security Program infrastructure includes the hardware, software, networking, and facilities that support PCFG services.
• PCFG manages these services on behalf of each client, from initial provisioning to final decommissioning.

Compliance

Pegasystems provides transparency about our compliance posture on emerging and established national and local regulations and standards. Pegasystems maintains an extensive set of compliance certifications, attestations, and third party assessments to give our clients confidence in our solutions.  For details, see the Pega Trust Center.

Pega Cloud for Government inherits several security controls from the FedRAMP High implementation on AWS GovCloud. PCFG is currently authorized as FedRAMP Moderate and DoD RMF Impact Level 2 as shown here.

Pega is actively working to achieve higher levels of authorization for both FedRAMP and DoD RMF.

Technical and Organizational Controls

The technical and organizational measures implemented by Pegasystems include:

• Encryption of personal data:  Pegasystems encrypts all data at rest in an Environment using 256-bit AES encryption.  PCFG-hosted web applications provide functionality for data in transit encryption with https (TLS) and digital certificates.  Within the Pega Platform, client can also use Dev Studio to configure secure TLS 1.2 connectivity to their external REST or SOAP services.  (Pseudonymisation or anonymization of personal data is the sole responsibility of the client.)
• Ability to restore availability and access to personal data:  Pegasystems shall maintain a disaster recovery plan in accordance with FedRAMP security controls, including automatic failover to a like facility to meet the recovery point objective (RPO) and recovery time objective (RTO) parameters published in the Subscription Documentation.
• Notification of incidents:  During the term of the Subscription Services, Pegasystems will notify clients within the timeframe specified by FedRAMP security controls when Pegasystems confirms any actual security incident affecting the confidentiality, integrity or availability of client data at the infrastructure layer.  In the event of such a security incident, Pegasystems will cooperate with client in accordance with the law and regulations applicable to Pegasystems.
• Process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures:  Pegasystems shall perform a FedRAMP annual audit.  Pegasystems agrees to perform, or have a qualified third party perform, external penetration tests of the Pega Cloud for Government and to conduct internal network security vulnerability assessments at least quarterly. Pegasystems shall mitigate any vulnerabilities discovered during the penetration tests or network security vulnerability assessments.

Pega is also responsible for:

• Establishing security group configurations for secure client access.
• Protecting data in transit over the Internet.  This is in addition to data security protocols for which clients are responsible.
• Providing host-based virus protection services, scans, and signature updates.
• Monitoring the security of the infrastructure components in each client environment.
• Managing the security of PCFG-delivered environments and the Pega Cloud service management systems.
• Providing a dedicated security team that manages compliance, security monitoring, and security event response.
• Accommodating requests for client penetration testing of client applications, as permitted by the Vulnerability Testing Policy.

Clients are responsible for the Client Data Rights and Responsibilities, as set forth in the applicable Subscription Documentation, including:

• The development, management, implementation, maintenance, and security of their Pega Platform applications as they build and operate their Pega-Platform-based applications beyond the default platform. Several of these responsibilities include, but are not limited to, application and workflow development, data classification, and user administration and entitlement management.
• The security of data in transit between Pega Cloud for Government and clients’ external systems using Direct Connect, virtual private cloud (VPC) peering, or virtual private networks (VPNs).

Physical and environmental controls

Pega Cloud for Government uses a third party as its Infrastructure-as-a-Service (IaaS) provider (currently Amazon Web Services [AWS] GovCloud), which hosts PCFG environments in state-of-the-art, large-scale, secure data centers.

• The IaaS provides the physical and environmental security controls for the cloud infrastructure. PCFG inherits these controls as part of the shared security model.  See the IaaS provider website for summary of controls with current IaaS provider (currently Amazon Cloud Security).
• Pega Cloud for Government provides a client support facility from which PCFG environments are monitored and maintained.
• Pega Cloud for Government also provides security monitoring capabilities; our engineers proactively develop and implement industry-standard security practices.
• Access to the PCFG support facilities is restricted to authorized personnel only.  Additionally, PCFG provides access controls (detailed in clients’ contracts) as part of the PCFG Security Program.

Access Controls

In addition to the physical security, Pega Cloud for Government operations has implemented access control measures which:

• restrict access to clients' environments to only those PCFG support personnel as requested by the PCFG client 
• maintain a list of personnel with authorized access
• review and approve access lists quarterly
• remove personnel who no longer require access

All access to data centers and client environments is logged and routinely audited.

All administration of our cloud environments is done through a control plane, using role-based access control with multi-factor authentication.

Network and infrastructure controls

The Pega Cloud for Government network architecture provides a level of security that allows each client to effectively operate the Pega Platform. PCFG manages and provides each client with:

• Virtual network devices to establish the boundaries, network rulesets, and access controls to govern inbound and outbound traffic in any client environment.
• Network security controls that limit access from untrusted sources.
• Network architecture that limits the effects of distributed denial-of-service (DDoS) attacks.
• An HTTP/HTTPS Internet gateway that provides access for clients who want connectivity to their virtual private cloud (VPC) environment directly from the Internet.
• An optional secure IPsec virtual private network (VPN) connection point that enables access between the client location and the client’s virtual private cloud (VPC) environment.
• Authentication controls for PCFG support personnel supporting client infrastructure. Authorized PCFG engineers are required to authenticate to PCFG Management tools by using unique user identification credentials and replay-resistant two-factor authentication tokens prior to being granted secure access to the PCFG network.
• Continuous monitoring of the infrastructure components in each client environment.

Malware protection

• PCFG deploys anti-malware software on the Pegasystems infrastructure level.
• PCFG deploys host-based malware services, scans, and signature updates that cannot be disabled or altered by users.

Risk management

Pega Cloud for Government security and compliance teams conduct regular audits and risk assessments of the PCFG offering to maintain adequate governance over the entire environment. In addition:

• PCFG provides vulnerability and security management for PCFG-delivered environments and the PCFG management systems.
• Client-led, application-level vulnerability assessment requests and other security reviews related to the client applications can be accommodated according to the Pega Cloud Vulnerability Testing Policy.
• At least once per year or when significant changes to the networks are made, PCFG conducts an information security risk assessment on current information security controls that affect the confidentiality, integrity, or availability of client data.