
CyberArk Compliance & Certifications 2026
CyberArk publishes SOC 2, SOC 3 and a deep ISO set, plus FedRAMP High for its government EPM agents. The strongest reports sit behind a trust-center NDA.
CyberArk Compliance verdict
CyberArk's compliance file is deep, as you would expect from a privileged-access vendor.
The SafeBase trust center publishes SOC 2 and SOC 3, plus the ISO 27001, 27017 and 27018 family. Alongside them sit ISO 42001 for AI, ISO 9001 and 22301, PCI DSS v4.0.1, HIPAA, CSA STAR, Common Criteria, IRAP, Cyber Essentials Plus, plus a DoDIN APL listing for defense.
CyberArk brings privileged-access-grade assurance: the certifications most security teams ask for, plus an independently verifiable FedRAMP High authorization for its government endpoint offering. Start by confirming which module you are actually buying. FedRAMP covers the government EPM offering, while the broad SOC 2 and ISO set covers the commercial SaaS. Then open a trust-center review and download the SOC 2 report and ISO certificates under NDA. One procurement trap is easy to miss. The government listing now sits under Palo Alto Networks and Idira branding, so verify the contracting entity before you sign. Map the subprocessor list and DPA to your residency needs, and request the DoDIN APL and Common Criteria evidence for defense use.
- FedRAMP authorization is independently listed, but it applies to the Endpoint Privilege Manager for Government offering and its named agents, not automatically every CyberArk SaaS module.
- The government FedRAMP listing names the vendor as Palo Alto Networks and the product as Idira, with the product site at cyberark.com, so confirm the contracting entity.
- The strongest SOC 2 and ISO reports are gated behind a trust-center security review and NDA, so plan to request them during evaluation.
- FedRAMP
- High (Class D), EPM for Gov
- Federal
- 3 ATOs / 5 reuses
- Core reports
- SOC 2/3, ISO 27001/17/18
- AI + DoD
- ISO 42001, DoDIN APL, Common Criteria
- Evidence
- SOC 2 + ISO under NDA
This page covers CyberArk's compliance posture and evidence. Its general PAM capabilities and deployment mechanics live on their own pages.
CyberArk certifications and the evidence behind them
| Framework | Status | Evidence to request |
|---|---|---|
| SOC 2 / SOC 3 | Reports available | SOC 2 report downloadable under NDA via the trust center |
| ISO/IEC 27001:2022 / 27017 / 27018 | Certified | ISMS, cloud-security and cloud-privacy certificates |
| FedRAMP (EPM for Government) | Authorized, Class D (High) | Regulator-listed: Rev5, 3 ATOs / 5 reuses; Windows, macOS and Linux agents |
| ISO 42001:2023 / ISO 9001 / ISO 22301 | Certified | AI management, quality and business-continuity certificates |
| PCI DSS v4.0.1 / HIPAA | Compliant | Latest PCI standard and healthcare data handling |
| Common Criteria / DoDIN APL | Certified | Product assurance plus the US DoD approved-product list |
| CSA STAR / IRAP / Cyber Essentials Plus | Certified | Cloud-assurance registry plus AU IRAP and UK regimes |
Compliance evidence to request from CyberArk
| Evidence | Type | How to get it |
|---|---|---|
| SOC 2 report | Report | Trust center, security review and NDA |
| ISO certificates (27001, 27017, 27018, 42001, 9001, 22301) | Certificate | Trust center, downloadable |
| FedRAMP authorization package | Package | FedRAMP Marketplace request form, .gov or .mil email |
| DoDIN APL document | Listing | Trust center, defense buyers |
| DPA and subprocessor list | Document | Trust center, data-privacy section |
What to verify before you rely on CyberArk
- FedRAMP authorization is for the specific Endpoint Privilege Manager for Government offering and its named agents, not automatically every CyberArk SaaS module, so confirm which product carries the authorization you need.
- The government FedRAMP listing names the vendor as Palo Alto Networks and the product as Idira Endpoint Privilege Manager, with the product website still at cyberark.com, so verify the contracting entity for procurement.
- The strongest evidence is gated: start a review and download the SOC 2 report and ISO certificates under NDA rather than relying on the badge list.
- For defense use, confirm the DoDIN APL listing and Common Criteria evaluation cover the specific product version you intend to deploy, and map the subprocessor list and DPA to your residency obligations.
CyberArk Compliance FAQ
Is CyberArk FedRAMP authorized?
Yes, for its government endpoint offering. The US-government FedRAMP Marketplace independently lists Endpoint Privilege Manager for Government as Certified at Class D, or High, on Rev5. It has been authorized since 14 March 2024, with 3 authorizations and 5 reuses covering the Windows, macOS, Linux agents. The listing now appears under Palo Alto Networks and Idira branding, and FedRAMP applies to that specific government offering rather than every CyberArk SaaS module.
Which compliance certifications does CyberArk hold?
A broad set, published on its trust center. The core reports are SOC 2 and SOC 3, plus the ISO/IEC 27001:2022, 27017:2015 and 27018:2019 family. On top of that sit ISO/IEC 42001:2023 for AI management, ISO 9001:2015 and ISO 22301, PCI DSS v4.0.1, HIPAA, CSA STAR, Common Criteria, IRAP, Cyber Essentials Plus. It also carries a DoDIN APL document, with CCPA and GDPR alignment.
How do I get CyberArk's SOC 2 report and other evidence?
Through the CyberArk Trust Center, powered by SafeBase. You start a security review and request access, then view and download the sensitive documents under NDA, including the SOC 2 report and the ISO certificates. Federal buyers can request the FedRAMP package for Endpoint Privilege Manager for Government directly from the FedRAMP Marketplace, and defense buyers can request the DoDIN APL document.
How does CyberArk handle data and where is it hosted?
It runs on Amazon Web Services with documented business continuity and disaster recovery. It maintains a published Data Processing Agreement and subprocessor list, documents data backups and erasure, and aligns with CCPA and GDPR. The FedRAMP-listed government offering is classified as SaaS on a public-cloud deployment model.
What should I verify before approving CyberArk?
Confirm which module carries the certification you need, since FedRAMP applies to the government EPM offering rather than every SaaS module. Because the government listing sits under Palo Alto Networks and Idira branding, verify the contracting entity. Download the actual SOC 2 and ISO reports under NDA rather than trusting the badge list. Map the subprocessor list and DPA to your obligations, and request the DoDIN APL and Common Criteria evidence for defense deployments.
Sources & verification
| Source | What was checked | Last checked |
|---|---|---|
| Cyberark Official | Official product page | July 10, 2026 |
| Cyberark Trust center | Product documentation | July 10, 2026 |
| FedRAMP Marketplace | FedRAMP authorization status | July 10, 2026 |
Every fact on this CyberArk page is tied to a named source and a verification date. Freshness-sensitive figures trace to the sources above; verify against the vendor before relying on them.
Explore CyberArk
Every page on CyberArk in one place, you are on compliance.
Snapshot, score and verdict
You are here
Hosting model, environments and rollout in your stack
Every tier and the entry price
Compared and ranked vs peers
Price and feature change history
Browse the full Identity & Access Management category
