The U.S. Department of Defense (DoD) has published the Cybersecurity Maturity Model Certification (CMMC) final rule to ensure that defense contractors are properly protecting Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). This rule defines the security requirements that defense contractors must meet for different maturity levels and explains how the DoD will confirm that these security controls are maintained across the contract period of performance. Many defense contractors can perform self-assessments and in the future can expect CMMC requirements to be written into contracts. For FCI, defense contractors must perform a self-assessment annually to demonstrate compliance with the 15 security requirements set by FAR clause 52.204–21. For CUI, defense contractors must perform an assessment every three years to comply with the 110 Level 2 security requirements derived from NIST SP 800–171 R2.
However, many defense contractors don’t realize that they may be misconfiguring or oversharing data within their Salesforce orgs, and their attempts to mitigate these risks are often reactive, time-consuming, and error-prone. Knowing where sensitive data is stored in Salesforce is the foundation for security and compliance, but manual data classification is inefficient and error-prone. Another pain point for defense contractors is the time and effort it takes to produce security audit and compliance reports. We developed Own Secure for Salesforce specifically to overcome these challenges, significantly reducing the time and resources required to keep your Salesforce org secure and to produce reports for audit and compliance purposes, including NIST SP 800–171.
Own Secure codifies deep Salesforce security expertise to deliver a comprehensive data-centric toolset that focuses and speeds up data labeling (e.g., FCI, CUI), implements zero trust principles to reduce risk, and helps mitigate insider threats. In addition, Own FedRAMP Authorized solutions include Own Recover for maintaining mission operational continuity and accelerating data recovery, and Own Archive for managing data retention policies and reducing storage costs.
Empowering defense contractors to thrive in a "de-perimeterized" Zero Trust world
[dark-blue]
Salesforce is an incredibly flexible and customizable platform, which is one of its greatest strengths, allowing defense contractors to tailor the system to their unique needs. However, this flexibility combined with the Shared Responsibility Model means maintaining proper data security in Salesforce can be challenging due to the complexity of the environment, as well as the growing amount of data, users, integrations, and API’s. Misconfigurations and inadequate role-based access create chronic and recurrent security risks that often don't stay remediated. With 84% of Salesforce users accessing sensitive data and Gartner estimating that 80% of cloud security breaches stem from misconfigurations, the risk is real. Thousands of Own customers use their backups to restore data every month, and in fact, 32% of Salesforce customers lose more than 1 GB of data each month, increasing the risk of data exposure and disruption to key services.
An effective SaaS data protection strategy is not just about preventing data loss or corruption but also having the right tools to quickly recover when a data loss or corruption inevitably occurs. It’s also advisable to offload any deprecated data routinely and automatically into a secure archive to reduce the amount of data accessible in production environments, reducing attack surface as well as storage costs. Own’s FedRAMP® authorized solutions can help agencies secure their Salesforce data and satisfy their DoD, FISMA, NIST, and CISA obligations, including performing annual risk assessments and ensuring backups restoration capabilities are tested for recovery within defined Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO).
[/dark-blue]
We also recommend conducting annual data security risk assessments to evaluate how your Salesforce org is evolving and whether it's drifting from established configurations and policies. Own Secure for Salesforce streamlines recurring risk assessments that align with the NIST Cybersecurity Framework (CSF), NIST SP 800-53, and other standards.
Lastly, don’t overlook development environments—they can be a significant point of exposure. These environments often don’t get the same attention as production systems, even though they can contain sensitive data. In some cases, developers working for defense contractors should not have access to sensitive data, which is why both role-based access control and data anonymization are essential.
That’s another reason it's important to know your sensitive information using Own Secure data classification and why customers use Own Accelerate, our sandbox seeding solution, to anonymize sensitive fields, limiting exposure even for developers with elevated access.
Ready to take the first step to protecting your sensitive data within Salesforce? Learn more about the Own Data Platform—Recover, Archive, Accelerate, and Secure—along with TAM Support for an annual security risk assessment.