Cloud Compliance
We prioritize the security of your data by continuously enhancing our capabilities to keep up with the ever-evolving security landscape.
Deltek's SaaS solutions are independently tested at least annually using industry-leading standards and subject to continuous, 24x7x365 monitoring for anomalous activity. Ongoing risk assessments, vulnerability management, and control validation are performed to ensure the continued protection of customer data against evolving threats.
System and Organization Controls (SOC) Reporting
SOC reports are designed to provide assurance on internal controls over financial reporting (SOC 1), as well as system security and availability (SOC 2 and SOC 3). These reports are created for Deltek by an independent auditor who evaluates Deltek's internal security controls with the AICPA defined control standards.
SOC 1
The SOC 1 Type II Report provides information on controls at a service organization, like Deltek, that are relevant to user entities' internal control over financial reporting.
Soc 1 reports are prepared in accordance with AT-C section 320 and are specifically intended to meet the needs of entities that use service organizations and the CPAs that audit the user entities’ financial statements.
SOC 2/ISAE 3000
The SOC 2 Type II Report provides information on controls at a service organization which may include one or more of the following trust services criteria: security, availability, processing integrity, confidentiality and/or privacy. Deltek conducts semi-annual SOC 2 reports for products hosted in Deltek’s Cloud.
SOC 3
The SOC 3 Report discusses the evaluation of the same AICPA criteria as a SOC 2 Report but does not include a description of the auditor's tests of controls and results, making this report available for general use.
| View the Deltek Cloud solutions with available SOC 1, SOC 2 and SOC 3 Reports | |
|---|---|
| Ajera | ConceptShare |
| Costpoint | GovWin |
| Maconomy | Project Information Management |
| Replicon | Talent Management |
| Unionpoint | Vantagepoint |
| Vision | WorkBook |
| Visit the Trust Center to request access to the latest SOC 1, SOC 2 and SOC 3 Reports. | |
CSA Star
The Cloud Security Alliance (CSA) is an organization that promotes best practices for providing security assurance in cloud computing. The CSA Security Trust, Assurance and Risk (STAR) attestation provides for an assessment to be performed by a reputable third-party that affirms implementation of necessary security controls. This assessment is based on the CSA Cloud Controls Matrix (CCM) and controls from SOC 2 and ISO/IEC 27001.
The following Deltek Cloud solutions have the CSA STAR Level 1 attestation:
The following Deltek Cloud solutions have the CSA STAR Level 2 attestation:
FedRAMP Authorized
The Federal Risk and Authorization Management Program (FedRAMP®) is a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. Deltek's Replicon platform is FedRAMP Authorized at the moderate impact level for project time tracking and is listed on the FedRAMP Marketplace.
The following Deltek Cloud solutions are authorized:
FedRAMP Moderate Equivalent
Deltek Costpoint GCCM has completed its FedRAMP Moderate Equivalency assessment and achieved FedRAMP Moderate Ready status. It is now listed on the FedRAMP Marketplace, meeting the requirements for CSPs supporting CMMC Level 2 and Level 3 certification for DoD contractors.
Deltek’s Costpoint GCCM can now demonstrate that it meets the DoD’s standard for cybersecurity compliance by providing a Body of Evidence, assessed by a FedRAMP recognized third-party assessment organization (3PAO).
CMMC
The Cybersecurity Maturity Model Certification (CMMC) is designed to enhance the protection of controlled unclassified information (CUI) in the United States Department of Defense supply chain and leverages NIST SP 800-171 controls and requirements.
Deltek is committed to supporting CMMC readiness. Deltek’s Costpoint ERP delivered in GovCon Cloud Moderate (GCCM) has already implemented all the necessary controls to support compliance with FAR, DFARS and CMMC requirements.
CIS
CIS Critical Security Controls & Benchmarks are a prioritized set of safeguards to mitigate the most prevalent cyberattacks against systems and networks. Deltek has implemented these controls in both of our Costpoint GovCon Cloud SaaS offerings as well as in our Vantagepoint, Maconomy, and Replicon SaaS offerings improve our cyber defense posture and address cybersecurity risks to provide a structured approach for supporting compliance requirements. By integrating automated security scanning tools, we continuously monitor our environments against CIS Benchmarks.
Our approach includes:
- Golden Image & STIG Compliance – Standardized system configurations prevent security drift.
- Proactive Risk Management – Continuous monitoring and automated remediation keep our infrastructure secure.
- Audit-Ready Security – Compliance reports and real-time dashboards provide transparency for customers and regulators.
With CIS scanning, Deltek ensures a secure, resilient infrastructure, giving our customers the confidence to focus on innovation—without security concerns.
ISO/IEC 27001:2022
ISO/IEC 27001 is a leading global standard for information security management systems (ISMS), outlining requirements for establishing, implementing, maintaining, and improving an ISMS. Compliance indicates a company effectively manages data security risks according to best practices.
The following Deltek Cloud solutions are certified under ISO/IEC 27001:2022 and provide enhanced security measures to promote confidentiality, integrity, and availability of all information:
NIST 800-171
National Institute of Standards and Technology (NIST) Special Publication 800-171 governs the storage, use and control of Controlled Unclassified Information (CUI) in Non-Federal Information Systems and Organizations. These standards define how to safeguard and distribute material designated by the United States Government to be sensitive but not classified.
Under federal regulations, such as DFARS clause 252.204-7012, certain companies and agencies are required to assess and document their compliance against NIST SP 800-171. This requirement includes assessing how networks are configured and how all data is protected.
| View the Deltek Cloud solutions with implemented controls aligning with NIST SP 800-171 | |
|---|---|
| Costpoint GCC & GCCM | Replicon |
| Talent Management | Vantagepoint |
Deltek Trust Center
At Deltek, we understand that trust is the foundation of every successful partnership and are committed to continuously improving our systems and services to meet the highest standards. Our Trust Center is a centralized hub designed to provide peace of mind regarding your data and security. It provides details on our security and privacy practices, compliance information, up-to-date resources and more.