Explore our comprehensive documentation outlining Palo Alto Networks' adherence to global security standards


ISO Certifications

ISO certification(s) demonstrates to customers that Palo Alto Networks has been independently assessed to have appropriate processes in place to help ensure the security and reliability of sensitive customer data.

SOC 2+

The Service Organization Control 2+ (SOC 2+) report evaluates a service provider's controls over security, availability, processing integrity, confidentiality, and privacy, and includes additional criteria to ensure robust data protection and compliance with industry-specific requirements, fostering client trust.


The Payment Card Industry Data Security Standards (PCI DSS) is a global information security standard designed to prevent fraud through increased control of credit card data.

Germany C5

Cloud Computing Compliance Controls Catalog (C5) is a German Government-backed attestation scheme to help organizations demonstrate operational security against common cyber-attacks when using cloud services within the context of the German Government's "Security Recommendations for Cloud Providers".


The Trusted Information Security Assessment Exchange (TISAX) assessment is a European automotive industry-standard information security assessment (ISA) catalog based on key aspects of information security such as data protection and connection to third parties.


The Federal Risk and Authorization Management Program (FedRAMP) is a U.S. Federal Government-wide program that provides a standardized approach to the security assessment, authorization, and continuous monitoring of cloud products and services. This framework is applicable to cloud service providers intending to sell their solutions to U.S. Federal agencies. The goal of FedRAMP is to ensure effective, repeatable cloud security for the Federal Government. It has a rigorous application process and criteria for cloud service providers to meet, ranging from the development of thorough security documentation to implementing robust security controls, testing their effectiveness, and conducting ongoing monitoring to ensure continuous security.


StateRAMP brings SLED customers together to develop standards for cloud security, educate on best practices, and recognize a common method for verifying the cloud security of service providers.


The Information Security Registered Assessors Program (IRAP) provides a framework for assessing the implementation and effectiveness of an organization’s security controls against the Australian government’s security requirements.


The Information System Security Management and Assessment Program (ISMAP) is a Japanese government initiative to evaluate and certify the security of cloud service providers to ensure stringent security standards, fostering trust and safeguarding sensitive data for users.

Common Criteria

Common Criteria for Information Technology Security Evaluation (Common Criteria or CC) is an international standard (ISO-IEC 15408) for evaluating IT products and systems. This certification framework provides assurance that the process of specification, implementation, and evaluation of security measures has been conducted in a rigorous, standardized, and repeatable manner. The National Information Assurance Partnership (NIAP) serves as the U.S. representative to the Common Criteria Recognition Arrangement (CCRA), which is composed of over 30 member nations.

FIPS 140

The Federal Information Processing Standard (FIPS) 140 is a U.S. Government standard that defines the security requirements for cryptographic modules protecting sensitive information. This cryptographic module standard applies to systems sold to the U.S. Federal Government and certain regulated industries (such as healthcare and finance) that handle sensitive information. FIPS 140 has four levels of security, with level 1 containing the lowest level of security assurance and level 4 being the highest. FIPS 140 compliance is recognized around the world as the benchmark for cryptographic module security in both public sector and industries outside of the public sector.

Telecom Security Act Code of Practice

The Telecom Security Act Code of Practice is a compliance framework developed by the UK government to strengthen the security of the UK's telecoms networks and services. This legislation applies to all public electronic communications networks and services in the UK. The code of practice sets out security requirements that telecom operators and their service providers must meet.

NCSC Cloud Security Principles

The National Cyber Security Centre (NCSC) Cloud Security Principles are a set of 14 principles designed to aid in the secure use of cloud services. They are applicable to all organizations within the UK looking to adopt cloud services. The principles cover a broad range of cloud security aspects including data protection, identity and access control, secure usage, and operational security.

Cyber Essentials Plus

Cyber Essentials Plus is a UK government-backed, industry-supported scheme to help organizations protect themselves against common online threats. This framework is applicable to all organizations, of any size, in any sector, operating in the UK. It tests five key controls: secure configuration, boundary firewalls and internet gateways, access control and administrative privilege management, patch management, and malware protection. If a vendor wants to sell into the UK public sector and bid for central government contracts, a Cyber Essentials certification is required. This certification assures that essential precautions against cyber threats are in place, which include firewalls, secure configuration, user access control, malware protection, and patch management. There are two levels of certification: Cyber Essentials and Cyber Essentials Plus. Cyber Essentials Plus is more rigorous as it requires vulnerability tests to be performed as part of the certification.

ANSSI CSPN Top-Level Certification

The Top Level Certification from ANSSI (National Agency for Information Systems Security) is a French Government certification for information security products. The certification is recognized by the French administration and operators of vital importance. It is applicable to products and systems that are being sold in France and is aimed at demonstrating a high degree of security assurance.


The Department of Defense Information Network Approved Products List (DODIN APL) is a U.S. military compliance framework. It includes a list of products that have completed cybersecurity and interoperability requirements. This framework applies to vendors intending to sell information technology products to the U.S. Department of Defense.


The Commercial Solutions for Classified (CSfC) Program has been established by the U.S. National Security Agency (NSA). It enables organizations to transmit classified information using commercially available technology, including mobile and cloud systems. The program is primarily for U.S. Government departments and contractors who handle classified information.


The U.S. Government IPv6 (USGv6) is a technical standards profile for IPv6 for the procurement and deployment of IPv6-capable products and services within the U.S. Federal Government. This profile includes technical standards, testing, and purchasing requirements to enable and expedite the deployment of IPv6 in the Federal Government's infrastructure and services.. This framework aims to advance the adoption of IPv6 in government systems and ensure its successful integration.


The Network Equipment Building System (NEBS) is a set of safety, spatial, and environmental design guidelines applied to telecommunications equipment to ensure reliability and compatibility within carrier networks. There are 3 levels of NEBS compliance, with level 1 being the lowest level of assurance and level 3 being the highest.

US Cloud Act

The US Cloud Act, or the Clarifying Lawful Overseas Use of Data Act, is a law enacted in the United States that grants the government the authority to access electronic data held by US-based technology companies, even if that data is stored on servers located outside of the United States. Essentially, it allows US law enforcement agencies to compel companies to provide data stored in their systems, regardless of where the data is physically located, which has implications for privacy and data protection on a global scale.

VPAT Section 508

The Section 508 Voluntary Product Accessibility Template (VPAT) is a document that evaluates how accessible a product is for people with disabilities to ensure an organization’s technology complies with accessibility standards, promoting inclusivity and equal access.