HCL BigFix Trust Center
HCLSoftware knows our government clients place critical importance on software security. This core value drives the development of HCL BigFix. Our comprehensive security strategy encompasses all facets of business operations, from corporate security policies and incident management to business continuity planning, secure software development, and privacy protection.
This page outlines HCL BigFix's secure development practices and company/product certifications relevant to our government clients. It explains how HCL BigFix empowers IT and Security teams to protect their endpoint infrastructure effectively.
Secure Product Development
HCLSoftware employs rigorous development procedures to safeguard the code we create and deliver to our clientele, encompassing both commercial and governmental entities.
Additionally, BigFix content is protected in several ways:
BigFix Content Servers are running in secure data centers
File access control lists limit access and changes to authorized users
BigFix content itself is cryptographically signed during the secure build process. Content that is not signed correctly is rejected by BigFix servers and logged as an error. As a result, content downloaded by our customers from the BigFix Content Servers is protected and secure
Secure Product Support
BigFix product support prioritizes customer data protection by adhering to strict policies. We collect only essential information, granting access to customer contact and case data solely to personnel actively resolving issues. Sensitive customer information is encrypted, ensuring its confidentiality.
Our data protection measures include:
Gathering only vital company and contact details
Securely transmitting customer information and data via HTTPS and Transport Layer Security (TLS) protocols
Sending diagnostic data through SFTP or HTTPS with TLS protocols and employing the AES algorithm for data encryption
The HCLSoftware Support organization is ISO 27001 certified. External audits confirm that our Information Security Management System (ISMS) meets the required standards, demonstrating our commitment to safeguarding client data and information.
For our U.S. Federal customers, we have implemented additional security measures:
Federal Access Control List (FACL): All HCL employees interacting with federal customers are on our FACL, composed of U.S. Citizens living in the U.S. who have passed background checks
Federal Support Center: All L1-L3 support personnel at HCL are on the FACL. Federal customers utilize a distinct support portal. Support tickets are stored in a separate, secure ServiceNow instance, accessible only to those on the FACL
Dedicated Federal Email System: Federal customers communicate directly only with employees on the FACL, who use separate federal email addresses hosted on FedRAMP certified Outlook servers
HCLSoftware Product Security Incident Response
The HCL Product Security Incident Response Team (PSIRT) manages the receipt, investigation and internal coordination of reported security vulnerabilities for HCLSoftware product offerings. The PSIRT coordinates with product development teams who investigate reported security vulnerabilities and identify the appropriate response plan. Once a response plan is identified, the product teams communicate with internal and external parties in the execution of our vulnerability response process.
The HCL PSIRT publishes Security Bulletins to our customers and partners. Each Security Bulletin describes the CVE and points to additional details and remediation. Please contact our team at info@hclfederal.com for more information.
HCLSoftware Federal Certifications and Standards Compliance
HCLSoftware is committed to delivering secure environments to all our customers. We collaborate with a variety of organizations who evaluate our compliance to industry security so that our customers and partners can be assured of our product integrity. The following HCLSoftware and HCL BigFix certifications have been obtained or are in progress as indicated below).
Continuous Diagnostics and Mitigation (CDM) Program Approved Products List (APL)
A curated list of cybersecurity tools approved for use in the U.S. federal CDM Program, ensuring they meet DHS requirements for continuous monitoring and threat detection.
Federal Information Processing Standards (FIPS)
Publicly issued standards developed by the U.S. government to ensure the security and interoperability of federal IT systems, including encryption, authentication, and data handling protocols.
FIPS 140-2 Certificate Number 4557
National Information Assurance Partnership (NIAP)
A U.S. government program administered by the National Security Agency (NSA) that evaluates and certifies commercial information technology (IT) products for use in national security systems. NIAP ensures that these products meet stringent cybersecurity requirements by using the internationally recognized Common Criteria for Information Technology Security Evaluation (ISO/IEC 15408) framework.
NIST SCAP (Security Content Automation Protocol)
A suite of specifications that standardizes the format and nomenclature by which security software communicates information about software flaws and configuration issues.
HCL BigFix Compliance V9.2 has obtained SCAP v1.2
HCL BigFix Compliance V10 is in process for SCAP v1.3
Center for Internet Security (CIS)
CIS Benchmarks are provided as best practices to secure operating systems and software to eliminate any configuration related vulnerabilities for cyber-attacks.
NIST 800-53
A comprehensive framework to provide security and privacy controls for federal information systems to help agencies manage risk and comply with FISMA requirements. HCL BigFix strives to support all applicable NIST 800-53 controls.
Trade Agreements Act (TAA) Compliance
All applicable HCLSoftware offerings are TAA-compliant, ensuring products provided to U.S. federal agencies are manufactured or substantially transformed in approved countries.
NDAA Section 889 Compliance
Our solutions comply with Section 889 of the FY2019 National Defense Authorization Act, ensuring no prohibited telecommunications components are used in our offerings.
Secure Software Development Attestation (OMB 1670-0052)
In alignment with Executive Order 14028, HCLSoftware provides attestations of secure software development practices as required by OMB and CISA under control number 1670-0052.
International Organization for Standardization (ISO)
ISO is an independent, non-governmental organization that develops and publishes standards for products, services, and systems. These standards are intended to ensure quality, safety, efficiency, and interoperability across various industries. HCLSoftware maintains a number of standards.
