2 Replies Latest reply on Nov 14, 2012 7:06 AM by Mike_Mitchell

    Government certifications?


      Good day, all. I'm consulting with a client who's asked some questions regarding certifications by (US) government entities / against government standards, and I don't know the answers. Does anyone know the answers to these questions?


      1. Are you aware of whether Filemaker Pro (or any of its runtime programs) being certified by either DoD through its (DIACAP) process, or DHS through its Technical Reference Model (TRM) for use on the Government internal and secure networks?


      2. Is the Filemaker Pro data compliant with the HIPAA/HITECH standards for data encryption (specifically, the data at rest encryption requirements)?


      I'm assuming the answer to (2) is "no", given previous discussions of the "obscured" vs. "loose encryption" standard for the data file itself. But if anyone who's done any HIPAA work knows for sure, that'd be great.


      And I've never heard of any DOD or DHS certifications for secure networks, but ... thought I'd ask anyway.





        • 1. Re: Government certifications?

          For HIPAA, I think encryption of data at rest is not strictly necessary, just recommended. (I believe encrypting data in motion is required, which we have SSH and VPNs for.) Also know that with HIPAA, the underlying technology (FileMaker) is less relevant to satisfying the standards than the behavior of the application you build on it, the operating environment (restricted-access physical facilities, VPN, etc.), and the procedures for handling it documented and practiced by the "covered entity" (owner of the data). I'm less familiar with the requirements for solutions designed to be eligible for HITECH grants. Encryption plug-ins can do the job if you have the budget for the extra development effort to do everything through them. Certainly, back up to an encrypted drive if you can. I don't know if OS-level encryption of the drive live hosted FileMaker files live on is a good idea or not.

          1 of 1 people found this helpful
          • 2. Re: Government certifications?

            Thanks, Jeremy. I think this is a fishing expedition from the client's management (they're a primarily Microsoft shop), and I read the spec the same way you do - encryption is "addressable", not required. But I can't find the phrase "at rest" anywhere in the documentation, so I was hoping someone more familiar might be able to point me to something.