Our Approach
Software security is critically important to HCLSoftware and our valued government clients. We take pride in our ability to support the needs and requirements of the U.S. federal government and strive to ensure we provide secure, compliant solutions. Our security strategy covers all aspects of our business, including corporate and organizational security policies, incident management and response, business continuity and disaster recovery, secure software development processes, and privacy. Please reach out to info@hclfederal.com with any questions.
Security, Privacy and Data Protection
HCLSoftware prioritizes trust, security and privacy across our entire solution suite. We ensure leading edge security best practices are a core part of all stages of our software development lifecycle before any solution is released to market. This includes comprehensive security scanning techniques, robust penetration testing and threat modelling at all levels of the application and infrastructure stack. We use our own products in addition to leveraging a diverse set of third-party researchers and tools, to test comprehensive capability across all levels. Following application introduction, we continue to constantly assess its risk profile and immediately initiate any additional remediation measures, if necessary.
The resources you see below proudly demonstrate our commitment to the trust, security and privacy of our solutions.
– Adam Currie, Global VP & Chief Information Security Officer
Secure Product Development
We adhere to stringent development processes to produce the code we develop and provide to both our commercial and government customers. The development models (standard release or continuous delivery) covers the full development cycle including key practices around:
- Requirements management
- All aspects of architecture and design
- Secure engineering practices
- Risk management
- Threat modelling
- Code scanning
- Coding and coding standards
- Review and test methods at all stages
- Defect management
All development practices incorporate change control and are the key criteria assessed at release approval stage.
Secure Product Support
Our product support teams protect our customer data and information by collecting only vital information, limiting access to customer contact information and case data to only those who are actively working to troubleshoot the reported problem, and encrypting customer sensitive information making it unreadable to anyone other than the intended party. Our data protection policy includes:
Collecting only vital company and contact information.
- Communicating customer information and data via HTTPS and Transport Layer Security (TLS) protocols.
- Sending diagnostic data via SFTP or HTTPS using TLS protocols and encrypting stored data using the AES algorithm.
Support for our U.S. federal government customers is handled in the U.S. by U.S. citizens.
HCLSoftware Product Security Incident Response
The HCL Product Security Incident Response Team (PSIRT) manages the receipt, investigation and internal coordination of reported security vulnerabilities for our solution offerings. The PSIRT coordinates with product development teams who investigate reported security vulnerabilities and identify the appropriate response plan. Once a response plan is identified, the product teams communicate with internal and external parties in the execution of our vulnerability response process.
The HCL PSIRT publishes Security Bulletins to our customers and partners. Each Security Bulletin describes the CVE and points to additional details and remediation. Please contact our team at info@hclfederal.com for more information.
​HCLSoftware Federal Certifications and Standards Compliance
Delivering secure environments to customers
We’re committed to delivering secure environments to all our customers. In support of this commitment, we have developed an Information Security Management System (ISMS) to drive consistency in approach across all of our products and services. Our ISMS allows us to set standards for security and measure our levels of compliance both internally and externally. One of our key external measures is the achievement of compliance certifications listed below.
Led by CISA, this initiative helps federal agencies gain continuous visibility into assets, vulnerabilities, and threats to strengthen cybersecurity. Solutions listed on the Approved Products List (APL) meet rigorous federal security standards for trusted deployment.
Applicable Products: HCL BigFix, HCL AppScan
A U.S. government program administered by the National Security Agency (NSA) that evaluates and certifies commercial information technology (IT) products for use in national security systems. NIAP ensures these products meet stringent cybersecurity requirements by using the internationally recognized Common Criteria for Information Technology Security Evaluation (ISO/IEC 15408) framework.
Applicable Products: HCL BigFix
CIS Benchmarks are provided as best practices to secure operating systems and software to eliminate any configuration related vulnerabilities for cyber-attacks.
Applicable Products: HCL BigFix
Our solutions comply with Section 889 of the FY2019 National Defense Authorization Act, ensuring no prohibited telecommunications components are used in our offerings.
ISO is an independent, non-governmental organization that develops and publishes standards for products, services, and systems. These standards are intended to ensure quality, safety, efficiency, and interoperability across various industries. HCLSoftware maintains a number of standards. Please reach out to info@hclfederal.com for more details.
Publicly issued standards developed by the U.S. government to ensure the security and interoperability of federal IT systems, including encryption, authentication, and data handling protocols.
Applicable Products: HCL BigFix FIPS 140-2 Validated, HCL AppScan 360° FIPS 140-3 Compliant
A suite of specifications that standardizes the format and nomenclature by which security software communicates information about software flaws and configuration issues.
Applicable Products: HCL BigFix 11.0.2 has achieved SCAP v1.3 validation.
All applicable HCLSoftware offerings are TAA-compliant, ensuring products provided to U.S. federal agencies are manufactured or substantially transformed in approved countries.
In alignment with Executive Order 14028, HCLSoftware provides attestations of secure software development practices as required by OMB and CISA under control number 1670-0052.
Common Criteria (CC) is an internationally recognized standard that ensures IT products are evaluated against rigorous, repeatable security requirements—aligned with their intended use in secure environments.
Applicable Products: HCL BigFix v11
For more information on security and compliance standards, please contact us at info@hclfederal.com.