Common Questions and Answers Salesforce ISVs Need to Know for FedRAMP

David Clevenger, Senior Director FedRAMP Assessment Services, Coalfire

Many Salesforce Independent Software Vendors (ISVs) are interested in pursuing FedRAMP to serve federal customers, but have many questions about the process. The four questions below are the most common questions that Coalfire receives from these ISV partners; we have provided some basic responses to help provide a better understanding of the Salesforce FedRAMP process.

1. What is ‘control inheritance,’ and how does Salesforce’s FedRAMP ATO help us?

Control inheritance defines controls that the ISV will not be responsible for and which will inherit the security provided to them by Salesforce. Because the ISV sits on Salesforce, the ISV will inherit the management of the Salesforce environment from the Salesforce FedRAMP and IL4 accreditations. Applications native to the Salesforce Government Cloud will be responsible for implementing fewer controls than a composite application. Many native applications sitting on the Salesforce Government Cloud inherit about 60% of the 325 FedRAMP Moderate controls, while composite applications often inherit only about 50% of the FedRAMP Moderate controls. Many Salesforce Government Cloud ISVs use the Salesforce Government Cloud to only host their code base. Between 40%-50% of FedRAMP Moderate controls applicable to an ISV’s environment are focused primarily on personnel that manage the proprietary code (i.e., proper background checks), configuration of the code, and management of the code before entering Salesforce. A well-defined boundary is extremely important as it is a stringent requirement for Cloud Service Providers (CSPs) pursuing a FedRAMP ATO. For ISVs sitting on the Salesforce Government Cloud, Salesforce provides the Infrastructure as a Service (IaaS) and management layers (operating systems, databases, networking, etc.), and the ISV is responsible for the proprietary code and (if a composite app) for their own infrastructure.

2. What is the new FedRAMP Tailored program, and why should an ISV consider FedRAMP Tailored?

FedRAMP Tailored is the newest path for CSPs that can answer ‘yes’ to all of the questions below:
  1. Does the service operate in a cloud environment?
  2. Is the cloud service fully operational?
  3. Is the cloud service a Software as a Service (SaaS), as defined by NIST SP 800-145, The NIST Definition of Cloud Computing?
  4. Does the cloud service contain no personally identifiable information (PII), except as needed to provide a login capability (username, password, and email address)?
  5. Is the cloud service low-security-impact, as defined by FIPS PUB 199, Standards for Security Categorization of Federal Information and Information Systems?
  6. Is the cloud service hosted within a FedRAMP-authorized Platform as a Service (PaaS) or Infrastructure as a Service (IaaS), or is the CSP providing the underlying cloud infrastructure?

3. What is Coalfire’s experience in the Salesforce ecosystem?

Coalfire has performed the Salesforce Government Cloud’s FedRAMP assessments since their initial assessment in 2014. We also performed their DISA IL4 accreditation assessment and briefing activities, as well as assisted them in documenting policies and procedures and their System Security Plan (SSP) for the Government Cloud. 

4. What services can Coalfire provide to ISVs seeking a FedRAMP authorization?

Coalfire offers advisory and assessment services for the FedRAMP authorization process. Our advisory team helps ISVs properly engineer and document their system to meet FedRAMP standards. Our assessment team works with the ISVs to perform the FedRAMP required testing and package that addresses source code review, operating system scanning, database scanning, web application scanning, penetration testing, and manual controls testing. Our assessment team will then create a final package that incorporates all results into one report that is then used for the authorization briefing. It is important to note that FedRAMP will not allow Coalfire or any other Third-Party Assessment Organization (3PAO) to perform both advisory and assessment activities, as the assessment will then test their own company’s deliverables. 

For more information please contact me at

David Clevenger


David Clevenger — Senior Director FedRAMP Assessment Services, Coalfire

Recent Posts

Post Topics



Accounting Agency AICPA Assessment assessments ASV audit AWS AWS Certified Cloud Practitioner AWS Certs AWS Summit Azure bitcoin Black Hat Black Hat 2017 blockchain Blueborne Breach BSides BSidesLV Burp BYOD California Consumer Privacy Act careers CCPA Chertoff CISO cloud CMMC CoalfireOne Compliance Covid-19 credit cards C-Store Culture Cyber cyber attacks Cyber Engineering cyber incident Cyber Risk cyber threats cyberchrime cyberinsurance cybersecurity danger Dangers Data DDoS DevOps DevSecOps DFARS DFARS 7012 diacap diarmf Digital Forensics DoD DRG DSS e-banking Education encryption engineering ePHI Equifax Europe EU-US Privacy Shield federal FedRAMP financial services FISMA Foglight forensics Gartner Report GDPR Google Cloud NEXT '18 government GRC hack hacker hacking Halloween Health Healthcare heartbleed Higher Education HIMSS HIPAA HITECH HITRUST HITRUST CSF Horror Incident Response interview IoT ISO IT JAB JSON keylogging Kubernetes Vulnerability labs LAN law firms leadership legal legislation merchant mobile NESA News NH-ISAC NIST NIST 800-171 NIST SP 800-171 NotPetya NRF NYCCR O365 OCR of P2PE PA DSS PA-DSS password passwords Payments PCI PCI DSS penetration Penetration Testing pentesting Petya/NotPetya PHI Phishing Phising policy POODLE PowerShell Presidential Executive Order Privacy program Ransomware Retail Risk RSA RSA 2019 Safe Harbor Scanning Scans scary security security. SOC SOC 2 social social engineering Spectre Splunk Spooky Spraying Attack SSAE State Stories Story test Testing theft Virtualization Visa vulnerability Vulnerability management web Wifi women XSS