Sherlock Cloud has been protecting and securing sensitive data for over a decade. It has the knowledge, expertise and infrastructure in place to guide and support partners’ compliance needs. Sherlock Cloud was built in accordance with the NIST 800-53 requirements – a highly comprehensive set of requirements that roadmaps the necessities of a good security plan to reduce the risk of a breach and major security issues. As the compliance requirements are ever-changing, it is imperative to remain knowledgeable, agile and adaptable. Sherlock’s team closely monitors the necessary compliance regulations, laws and requirements and implements updates as they arise. This not only ensures the data of Sherlock’s partners is appropriately protected, but it eliminates compliance guesswork on the part of its partners.
Sherlock Cloud has three environments that have been built using the NIST 800-53 requirements: FISMA, HIPAA and CUI. Additionally, Sherlock Cloud has expanded its compliance expertise to now offer its solutions utilizing the AWS Cloud. Sherlock partners will have the option to choose managed compliant services operating on premise at SDSC, in the AWS Cloud, or a combination of the two.
The Federal Information Security Management Act (FISMA) requires each federal agency to develop, document, and implement an agency-wide program to provide information security for the information and information systems that support the operations and assets of the agency, including those provided or managed by another agency, contractor, or other source.
Sherlock Cloud is a FISMA-certified environment. The Sherlock team has maintained this environment since 2008, and is well-versed in the requirements to successfully protect data within the confines of this environment, pass yearly security assessments, and comply with the varied elements of FISMA certification.
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) regulates how covered entities and business associates use and disclose protected health information (PHI) and has established various requirements and standards that serve to maintain the privacy and security of individually identifiable health information while preserving the community’s need to use the information. The Office for Civil Rights enforces HIPAA and its required rules including: (1) the Privacy Rule - governing and protecting the privacy of individually identifiable health information; (2) the Security Rule - identifying the national standards for the security of electronic protected health information (ePHI); and (3) the Breach Notification Rule - requiring that covered entities and business associates provide notification following a breach of unsecured PHI.
While the Health CI Division complies with the HIPAA rules in totality, its Sherlock Cloud infrastructure aligns with the compliance mandates set forth in the Security Rule. To do so, the infrastructure complies with the required administrative, physical, and technical safeguards to protect electronic information. (See 45 CFR §§160 and 164.) Notably, the HIPAA Security Rule does not prescribe how a covered entity or business associate is to comply with the safeguards, but rather allows flexibility in the interpretation of the safeguards to best fit the organization’s environment. The Health CI Division leveraged its FISMA experience and NIST security controls expertise to develop and build a highly secure HIPAA environment that exceeds the outlined Security Rule safeguards.
The federal government released NIST 800-171, Protecting Controlled Unclassified Information (CUI) in Nonfederal Systems and Organizations, which requires non-federal entities that receive non-classified information (i.e., CUI) from the federal government to implement a variety of security protections when processing, storing, transmitting, and using CUI in non-federal information systems. The security requirements outlined in NIST 800-171 are based off of the NIST 800-53 Moderate baseline security families and controls and FIPS 200.
Compliance with NIST 800-171 requires specialized knowledge and experience due to its grounding in NIST 800-53. As the Sherlock team has implemented and worked in the NIST 800-53 arena for 10 years, it has seamlessly incorporated all NIST 800-171 requirements to satisfy the CUI security protections in its Sherlock Cloud CUI-compliant environment.