Today, we announced our commitment to achieving the US Federal Risk and Authorization Management Program (FedRAMP) - High, Australian Infosec Registered Assessors Program (IRAP), and Spain’s Esquema Nacional de Seguridad (ENS) as part of Cloudflare for Government. As more and more essential services are being shifted to the Internet, ensuring that governments and regulated industries have industry standard tools is critical for ensuring their uptime, reliability and performance.
What sets Cloudflare for Government apart?
Cloudflare’s network spans more than 330 cities in over 120 countries, where we interconnect with approximately 13,000 network providers in order to provide a broad range of services to millions of customers. Our network is our greatest strength to provide resiliency, security, and performance. So instead of creating a siloed government network that has limited access to our products and services, we decided to build the unique government compliance capabilities directly into our platform from the very beginning. We accomplished this by delivering critical controls in three key areas: traffic processing, management, and metadata storage.
The benefit of running the same software across our entire network is that it enables us to leverage our global footprint, and then make smart choices about how to handle traffic. For instance, Regional Services (our system that ensures that traffic is processed in the correct region) runs globally. We can offer anycast for all customer traffic, even FedRAMP Moderate traffic. Regional Services allows us to do global Layer 3 (network layer) DDoS attack prevention, while still only decrypting traffic inside our FedRAMP, IRAP, or ENS boundary. We get similar advantages for key management and metadata storage locality.
Network and security services can dramatically improve user experiences, but only when they run as close to the user as possible, even if the user doesn’t live close to a major hub. Leveraging our global network of over 300 data centers to ingest traffic to our network, our private backbone can move traffic to the closest certified processing location. This enables you to meet the most stringent compliance requirements without trading off user experience.
Cloudflare’s strong commitment is to deliver a first class experience for all regulated and public sector customers, regardless of the complexity of their requirements, on one single platform with all of our products. Doing the hard work upfront of building on a single network without taking shortcuts has allowed us to provide our FedRAMP Moderate, and soon our FedRAMP High, ENS, and IRAP offering to everyone without segmentation of the platform.
Our single platform strategy enables almost every Cloudflare product and service across all of our solution areas to be included in scope with Cloudflare for Government.
How has the Cloudflare for Government service offering evolved over the past two years?
Since our FedRAMP Moderate authorization in 2022, Cloudflare has continuously expanded and improved our program. This has included the expansion of our FedRAMP scope to include even more products to secure the US public sector:
API Shield provides API Security and abuse detection features with a strong focus on data-driven approaches.
R2 provides object storage for large amounts of unstructured data without costly egress bandwidth fees.
Cache Reserve is a large, persistent data store implemented on top of R2.
Cloud Access Security Broker (CASB) connects, scans, and monitors SaaS applications for security issues. It is part of Cloudflare’s Zero Trust platform, which uses API-driven and easy-to-use tools to protect data and users across SaaS apps. Cloudflare CASB can detect and prevent data leaks, compliance violations, shadow IT, misconfigurations, and risky data sharing.
We’re also looking forward to introducing two new Cloudflare Products into our FedRAMP Moderate scope in 2025:
Hyperdrive accelerates queries made to existing databases, making it faster to access data from across the globe, irrespective of user location.
Cloudflare Images is a robust, cloud-native image pipeline that ingests, stores, optimizes, and delivers images across our global network.
As we pursue FedRAMP High, ENS, and IRAP, we are committed to certifying, and authorizing the entire range of Cloudflare products on our platform, not just point source solutions. Over the next several years, we will focus on making sure that all GA products at Cloudflare are able to run in the most regulatory complex environments. We are excited about bringing products like Email Security, Cloudflare Calls, and Access for Infrastructure into Cloudflare for Government.
As discussed above, Cloudflare’s scale is one of many things that sets us apart from other cloud service providers. Currently operating in over 30 data centers across 10 cities in the United States, Cloudflare is expanding the Cloudflare for Government boundary to include eight international data centers and four new US data centers in 2025. Not only will this expansion enable Cloudflare to more quickly serve public sector customers outside the US, but it also reinforces our commitment to help protect and connect customers globally as the world’s first connectivity cloud.
Cloudflare is ready for the future of the public sector
Cloudflare continues to be a leader in the post-quantum cryptography (PQC) space, and we believe that post-quantum security should be the new baseline for the Internet. We could not have achieved meaningful progress with the global rollout of ML-KEM without our deep collaboration with NIST in the US. Our public-private collaboration has been immensely valuable. It has been key in getting these cryptographic algorithms adopted at Cloudflare, and with our standards partners, to help everyone defend against future attacks from quantum computers. Over the last two years, this collaboration has led to over one-third of Cloudflare’s eyeball traffic being secured with PQC.
Our work in PQC demonstrates one of the many ways in which we remain committed to research and innovation at Cloudflare, aligning well to the goals articulated by NIST and our other government partners. Our collaboration enabled us to bring PQC to FIPS in early 2023. Empowering service providers like Cloudflare to innovate and use industry-recognized technologies strengthens both private and public sector systems.
Australian and Spanish security certifications
Over the last decade we have demonstrated our commitment to obtaining both international (such as PCI, SOC2, and ISO 27001) and country-specific security certifications / authorizations. Today, Cloudflare is proud to announce that we have completed authorizations for Spain (ENS). We are currently undergoing an assessment with Australia (IRAP).
What’s next for Cloudflare’s public sector compliance?
Two years of FedRAMP Moderate is just the beginning for our Cloudflare for Government journey. As we look into the new year, we can’t help but be excited about all that’s to come as we grow our public sector compliance program with FedRAMP High, IRAP, and ENS.
We invite all of our Cloudflare for Government public and private partners to learn more about our capabilities and work with us to develop solutions to meet the security demands required in complex environments. Please reach out to us at [email protected] with any questions.
For more information on Cloudflare’s FedRAMP status, please visit the FedRAMP Marketplace.