BlackBerry® software, devices and management systems have undergone rigorous evaluations by leading independent certification bodies. For demanding customers in government, defense, intelligence, regulated and other industries where compliance is critical, our certifications provide an assurance of quality, reliability and security that only BlackBerry can deliver. Learn about some of the key certifications BlackBerry has obtained in the summaries below.
The ISO 27018 standard intends to be “a reference for selecting PII protection controls within the process of implementing a cloud computing information security management system based on ISO/IEC 27001, or as a guidance document for organizations for implementing commonly accepted PII protection controls”. The standard is primarily concerned with public-cloud computing service providers acting as PII processors.
ISO 9001 is the most widely adopted international quality standard with over 1.1 million certificates issued worldwide. BlackBerry has been certified to ISO 9001 since 2005. The standard is based on a number of quality management principles which include having a strong customer focus, organizational leadership driving quality engagement, using the process approach and continual improvement.
ISO/IEC 27001 provides a model for establishing an information security management system (ISMS), which aligns people, resources, and controls, to create a series of measurable security practices to protect information assets. BlackBerry has an established record of integrating secure practices. In 2002, BlackBerry was one of the first organizations in North America to receive accreditation against the BS7799 Security Standard. This standard was later adopted by the International Standards Organization as ISO/IEC 27001:2005 and, most recently, ISO/IEC 27001:2013.
The Federal Risk and Authorization Management Program, or FedRAMP, is a US government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. FedRAMP is the result of close collaboration with cybersecurity and cloud experts from the General Services Administration (GSA), National Institute of Standards and Technology (NIST), Department of Homeland Security (DHS), Department of Defense (DOD), National Security Agency (NSA), Office of Management and Budget (OMB), the Federal Chief Information Officer (CIO) Council and its working groups, as well as private industry.
View our FedRAMP authorization here
The National Information Assurance Partnership (NIAP) is responsible for U.S. implementation of the Common Criteria, including management of the NIAP Common Criteria Evaluation and Validation Scheme (CCEVS) validation body. NIAP also works with NATO and international standards bodies (ISO) to share Common Criteria evaluation experiences and avoid duplication of effort. In the U.S., NIAP engages with other National Security Systems (NSS) users to ensure Protection Profiles, along with their associated DoD Annexes, provide a streamlined certification path for IA and IA enabled COTS products employed with NSS.
View details of NIAP compliant BlackBerry products here
Cyber Essentials is a cyber security standard developed under the auspices of the Communications-Electronics Security Group (CESG), the information security arm of Government Communications Headquarters (GCHQ) in the United Kingdom. It identifies the security controls that an organization must have in place within their IT systems in order to have confidence that they are addressing cyber security effectively and mitigating the risk from Internet-based threats.
NATO has approved the BlackBerry® Enterprise Solution for the storage and transmission of data up to and including the NATO RESTRICTED classification.
Certificate of Networthiness (CoN) and Authority to Operate (ATO)
The Networthiness Certification Program manages the specific risks and impacts associated with the fielding of Information Systems (ISs) and supporting efforts, requires formal certification throughout the life cycle of all ISs that use the Information Technology (IT) infrastructure, and sustains the health of the US Army Enterprise Infrastructure.
Common Criteria EAL 4 +
Common Criteria assesses the design and implementation of security-sensitive products and provides assurance that the specification, implementation, and evaluation of each solution have been thoroughly analyzed. EAL4+ is the highest certification level recognized internationally under the Common Criteria program, and is frequently conducted for products that are deployed in environments handling sensitive government data.
The Cryptographic Module Validation Program (CMVP), headed by the National Institute of Standards and Technology (NIST), provides module and algorithm testing for FIPS 140-2, which applies to Federal agencies using validated cryptographic modules to protect sensitive government data in computer and telecommunication systems. The FIPS 140-2 standard is mandated by law in the U.S. and very strictly enforced in Canada, for all products used in security systems that process sensitive but unclassified information. FIPS 140-2 validation provides product users with a high degree of security, assurance, and dependability.
The Payment Card Industry Data Security Standard (PCI DSS) was developed to encourage and enhance cardholder data security and facilitate the broad adoption of consistent data security measures globally. PCI DSS provides a baseline of technical and operational requirements designed to protect account data. PCI DSS applies to all entities involved in payment card processing—including merchants, processors, acquirers, issuers, and service providers. PCI DSS also applies to all other entities that store, process or transmit cardholder data (CHD) and/or sensitive authentication data (SAD).
IEC 61508 Safety Integrity Level 3 (SIL) 3
The QNX® OS for Safety is certified to meet the requirements of International Electrotechnical Commission (IEC) standard 61508 Safety Integrity Level 3 (SIL3). IEC 61508 is an international standard for the functional safety of electronic systems, and offers a very high level of reliability and risk reduction when used in safety-critical systems for transportation, energy generation, process control, and other industries.
ISO 26262 Automotive Safety Integrity Level (ASIL) D
The QNX OS for Safety is assessed to be compliant with ISO 26262 Automotive Safety Integrity Level (ASIL D). ISO 26262 is a standard adapted from IEC 61508 that defines functional safety for electronic systems, electrical systems, and software components in the automotive market.