Imperva Solutions for Federal Government


Federal databases, file servers, and Web applications are a critical and indispensable part of the U.S. Government's IT infrastructure and operations. For hackers and malicious insiders, however, these repositories and the sensitive data they host represent an opportunity to seize valuable data or launch a cyberattack.

Federal organizations depend on Imperva's SecureSphere Data Security solutions to discover, classify, and protect sensitive data, manage access rights and mitigate risks of data centric attacks aimed at applications, files and databases. SecureSphere establishes a repeatable data risk management process and provides a fast and cost effective route to regulatory compliance.

Imperva's SecureSphere leading data security and compliance solutions provide:

  • Data Breach Prevention: Real-time protection against hackers and malicious insiders targeting sensitive data
  • Regulatory Compliance: Fast and cost-effective route to compliance with full visibility into data usage, vulnerabilities and access rights
  • Data Risk Management: Continuous and repeatable process for identifying and mitigating data risk

The U.S. Government has recognized the importance of information technology security and has enacted various security guidelines to mitigate risk and protect government information systems and data. SecureSphere enables Federal organizations to meet these guidelines with predefined policies that can be implemented to audit configurations, record access events and changes, alert and block on unauthorized access and more.

Federal Information Security Management Act (FISMA)
Recognizing the importance of information security, the U.S. Government enacted The Federal Information Security Management Act of 2002 ("FISMA"). FISMA requires each federal government agency to develop acceptable system configuration policies and ensure compliance with these definitions. Systems with secure configurations have fewer vulnerabilities and are less exposed to malicious attacks.

To reduce the cost of FISMA compliance, Federal agencies are advised to implement technologies that automate security controls. SecureSphere solutions enable many of these controls required by FISMA as well as guidelines provided by the National Institute of Standards and Technology (NIST), the Department of Homeland Security and the Department of Defense (DoD).

NIST SP 800-53 Security Controls for Federal Information Systems
Mandated by FISMA, NIST has created Special Publications that provide guidelines and security controls for Federal Information Systems.

  • NIST SP 800-53 was designed to help Federal agencies develop appropriate security policies and controls to protect all federal information and information systems. Imperva SecureSphere solutions help Federal organizations to discover, classify, and protect sensitive data and manage access rights to satisfy the SP 800-53 guidelines.

    Download: Meeting NIST SP 800-53 Guidelines White Paper
  • NIST SP 800-137: Information Security Continuous Monitoring (ISCM)
    This Special Publication recommends that Federal organizations maintain ongoing awareness of information security, vulnerabilities, and threats to support organizational risk management decisions. In order to measure the effectiveness of the security controls, the publication requires a well-designed continuous monitoring strategy. SecureSphere Data Security Suite provides Federal agencies with practical solutions to implement and continuously monitor their security controls to demonstrate compliance with SP 800-137.

    For more information regarding SP 800-137 visit:

DoD DISA Database Security Technical Implementation Guides
The DoD publishes Security Technical Implementation Guides (STIG) developed by the Defense Information Systems Agency (DISA). The guidelines target conditions that can undermine the integrity of IT systems, contribute to inefficient security operations and administration, or lead to the interruption of production operations. The STIG ensures the organization has properly installed and implemented their database environment and that it is being managed in a way that is secure, efficient and effective. SecureSphere performs assessments based on the DISA STIG and documents vulnerabilities that put databases at risk, and configurations that deviate from defined standards.

IRS 1075
IRS 1075 provides tax information security guidelines for Federal, State and Local Agencies. It requires that personal and financial information in IRS systems is protected against unauthorized use, inspection or disclosure. Imperva's data security solutions address multiple sections of the guideline, including audit and security guidance to ensure that access to FTI (federal tax information) is limited to only those individuals who are authorized to access and have a need to know.

Compliance with the FIPS 140-2 Standard
SecureSphere database, file and web security solutions implement the FIPS 140-2 standard. FIPS (Federal Information Processing Standard), certifies cryptographic operations in computer systems and is a requirement for information security products deployed in sensitive U.S. and Canadian government installations.

Implementation of FIPS 140-2 means that the SecureSphere Data Security Suite meets the following two key government requirements:

  • United States FIPS 140-2 Cryptographic Module Validation Authority (CMVA), set by the National Institute of Standards and Technology
  • Canadian FIPS 140-2 CMVA, set by the Communications Security Establishment (CSE)

The use of validated cryptographic modules is required by the United States Government for all unclassified uses of cryptography. The Government of Canada also recommends the use of FIPS 140 validated cryptographic modules in unclassified applications of its departments.

For more information regarding FIPS 140-2, visit:

Common Criteria
Imperva SecureSphere v11.5 for Web Application Firewall (WAF) and Database Audit and Protection (DAP) have achieved common criteria certification under the uncompromising National Information Assurance Partnership (NIAP) common criteria evaluation and validation scheme (CCEVS). The certified products are compliant with Protection Profile for Network Devices version 1.1.

For certification details, please visit

This certification applies to Imperva SecureSphere v11.5 Patch 5 Gateway Appliances: X1010, X10K, X2010, X2510, X4510, X6510, X8510 MX Management Server Appliances: M110, M160, and Virtual Machine Appliances: V1000, V2500, V4500 (for Gateway), VM150 (for MX) and optionally a SecureSphere Operations Manager (SOM) Management Server Appliance M160 and Virtual Machine Appliance VM150

The certification above builds upon the previous Common Criteria certification for Information Technology Security Evaluation, Version 3.1 (Revision 3) with Evaluation Assurance Level 2 (EAL2) that SecureSphere ver 9.0 received in 2012. The certificate was issued by the NIAP, and the EAL2 validation report is available at

Imperva is a GSA-Approved vendor. For more information about Imperva's GSA contract, please contact