Overview
Salesforce Government Cloud and Government Cloud Plus are dedicated instances of Salesforce designed to address stringent security and compliance requirements of the U.S Government whereas Salesforce Commercial cloud (or Salesforce) is the widely used solution designed to serve all industries and use cases. Salesforce and Salesforce Government Cloud have a lot of similarities but what differentiates the two versions is the Regulatory Compliance, Data Residency, Isolation and Security Focus for Salesforce Government Cloud. Salesforce Commercial cloud has compliance and safety features that are not as stringent as the U.S Government requires for most of the agencies and entities that serve the Government. This article answers one question – How do I determine if I need Commercial Cloud or Government Cloud If I am a Government Contractor or Supplier?
Salesforce Commercial Cloud
Salesforce Commercial Cloud is the standard Salesforce instance available to most customers. This is the suite of products that Salesforce has been building since its existence. These products include almost everything that Salesforce had built or purchased and integrated into the ecosystem over approximately the past 25 years. Salesforce Commercial cloud is geared towards the non-government customers but can also be used for Government customers. Before the introduction of GovCloud, all customers were on the Salesforce Cloud aka Commercial Cloud. There is a vast amount of AppExchange products (products that can be purchased from third parties as add-ons) available for customers to purchase via the AppExchange portal. Almost all of the Salesforce products are compatible with Commercial cloud.
Government Cloud Feature and Product Availability
Salesforce Government Cloud Plus is a dedicated instance of Salesforce’s multi-tenant public cloud infrastructure specifically isolated for use by U.S. federal, state, and local government customers, U.S. government contractors, and Federally Funded Research and Development Centers (FFRDCs). Salesforce uses infrastructure provided by Amazon Web Services, Inc. (“AWS”) to host Customer Data submitted to Salesforce Government Cloud Plus’s Covered Services.
Salesforce Government Cloud is built with the following core principles:
- Regulatory Compliance: Salesforce Government Cloud is designed to meet the stringent security and compliance requirements of government agencies and organizations. It adheres to various compliance standards, such as FedRAMP (for U.S. federal agencies), HIPAA (for healthcare), and more.
- Data Residency: Salesforce Government Cloud data is stored within the continental United States, helping address data sovereignty and residency concerns for government organizations.
- Isolation: Salesforce Government Cloud instances are logically isolated from commercial instances, ensuring that government data is kept separate from other customers’ data.
- Dedicated Support: Salesforce Government Cloud often comes with dedicated support tailored to the needs of government agencies, providing specialized assistance and expertise.
- Security Focus: Salesforce Government Cloud places a strong emphasis on security, access controls, and data protection due to the sensitive nature of government data.
Feature Parity and AppExchange
Salesforce Commercial Cloud often receives new features and enhancements earlier than Salesforce Government Cloud. It offers a wide range of customization options, third-party integrations, and applications from the Salesforce AppExchange. However, Salesforce Government Cloud is not very far behind. New and existing features are thoroughly vetted against the compliance and security policies put in place for Salesforce Government Cloud before they are released.
The number of Salesforce AppExchange products that are Salesforce Government Cloud compatible are limited as compared to the Salesforce Commercial Cloud. This is due to the fact that a majority of companies that build Salesforce AppExchange products are generally focused on Commercial Cloud instead of Salesforce Government Cloud.
Public Section Foundation (PSF) & Omni Studio:
One major feature difference between the Salesforce Commercial Cloud and Salesforce Government Cloud is the inclusion of Public Sector Foundation (“PSF”) as a core feature set for Salesforce Government Cloud. Public Sector Foundation offers a lot of features and functions that are applicable to government entities as well as government suppliers. Some of the functionality for PSF includes:
- Grants Program Management
- Licensing, Permitting and Inspections
- Employee Experience
- Emergency Management
- Benefits Management
- Social Care
- Investigation Management
In addition to these, PSF includes OmniStudio which extends that point and click features to build more complex processes and personalized experiences with minimal to no code. OmniStudio and other industry-specific products are available for Salesforce Commercial Cloud based on specific industries. These may be purchased as add-ons for the Commercial Cloud.
Government Cloud Interoperable Salesforce Products (not FedRAMP Authorized)
Some of the Salesforce applications are interoperable with Salesforce Government Cloud Plus but are not FedRAMP Authorized. Some of these products are listed below:
- Salesforce CPQ
- Heroku
- High Velocity Sales
- Einstein Activity Capture
- Service Cloud Voice
- Revenue Intelligence
- B2B Commerce
- Some Salesforce AppExchange Apps
Please note that most of these products work seamlessly with Government Cloud but are not FedRAMP approved. Government Contractors and Federally Funded Research and Development Centers can make decisions and exceptions for using these products if needed although specific approvals from sponsoring agencies may be required in some cases.
U. S Government Contractors – Commercial Cloud or Government Cloud?
As a U.S Government Contractor or Supplier trying to acquire and build Salesforce applications, the question of using Commercial Cloud vs. Government Cloud is inevitable. The answer to this question depends on a multitude of factors which will be discussed in this section.
Is government-related FCI or PII data saved in Salesforce?
Answering “yes” to this question does not automatically lead us down the path of using Salesforce Government Cloud. However, agencies that you are serving may specifically require the contractors to use FedRAMP-authorized products and ensure that the data does not leave the Salesforce Government Cloud boundary. Salesforce Government Cloud also offers encryption at rest as a standard with an option to add another layer of encryption at the application level if needed.
A lot of the security controls can also be built into the Salesforce Commercial Cloud but the data residency and isolation of federal data is not an option in the Salesforce Commercial Cloud. Some of the controls may need additional products like Salesforce Shield in both Commercial and Government Clouds. Salesforce Commercial Cloud could be an option in this case if there are no specific requirements from federal agencies being served as long as the data is secured and encrypted using the multitude of Salesforce features (like organization-wide defaults, profiles, roles, sharing settings, etc.) to ensure that the data and functionality are isolated to users that should have access to it.
How do Salesforce products and cost impact the Commercial vs. Government Cloud decision?
Setting the compliance, data residency, and isolation aside, most of the core Salesforce products like Sales Cloud, Service Cloud, Experience Cloud, etc. are almost at parity between Commercial and Government Cloud. Salesforce Government Cloud’s Public Sector Foundation (which is not available on Commercial cloud) not only provides some standard applications as listed in the PSF section above but it also includes OmniStudio which is an extremely powerful tool to extend the point-and-click features of Salesforce to build very complex workflows and experiences for users.
On the flip side, if applications like CPQ and Commerce Cloud need to be installed for Salesforce Government Cloud, it is important to note that these applications may have components outside the FedRAMP boundary and may exchange some metadata to enable some functions. In most cases, this is acceptable from a security perspective but may need additional approvals.
Salesforce Commercial Cloud has a vast selection of Salesforce AppExchange products to choose from whereas Salesforce Government Cloud has far less native (FedRAMP complaint) options. This does not preclude the customers from installing these applications as long as the security considerations similar to interoperable Salesforce products are applied to these applications.
From a cost perspective, Salesforce Government Cloud licenses come at a premium but they also include regulatory compliance, additional security, data isolation, and features that are not available in Salesforce Commercial Cloud.
Do you have a FedRAMP approved Product that you sell to the U.S Government which uses (and integrates) customer support solution in Salesforce?
Salesforce would most likely be a part of the FedRAMP boundary if a FedRAMP-approved product’s service requests are handled via Salesforce and customer and product-related information is stored in Salesforce. In this case, Salesforce Government Cloud is most likely required. This can generally be confirmed by the 3rd Party Assessment Organization (3PAO).
Do you use Salesforce Service Cloud and Save data related to Products or Services provided to the U.S Government?
Generally, if product or customer data related to the U.S Government is saved as a part of service requests or tickets, a Salesforce Government Cloud instance may be required but there may be exceptions. As an example, a cybersecurity company, aerospace company, engineering company, or a contract manufacturer serving the government may need to save sensitive information related to products and services related to the customer that in most cases would require the service solution to be on Salesforce Government Cloud. This may differ based on the agencies served and the type of data saved.
Does Salesforce need to integrate with other Government Cloud applications within the organization?
More often than not, Salesforce is integrated with one or more applications within the organization. As a government contractor, there may be some applications on other Government clouds like AWS or Azure. Integrating these Government Cloud applications with Salesforce gets tricky and leaves very few integration patterns and choices if Salesforce Government Cloud is not used. This scenario does not necessarily mandate Salesforce Government Cloud but it is essential to evaluate the cost of integration and regulatory compliance issues that may arise from integrating an application outside the Government Cloud boundary.
Does a contract with U.S government mandate the use of FedRAMP-approved products?
There are government contracts that explicitly require the use of Government Cloud or FedRAMP-approved products. This is a simpler scenario when the selection is based on the contractual need. However, please keep in mind that the use of Salesforce AppExchange products, non-FedRAMP-approved Salesforce products, and potential integrations need to be considered while estimating the cost and timeline for getting a Salesforce Government Cloud environment setup and configured.
Vectr Solutions can partner with you, help make decisions, and Implement Secure and Compliant solutions
As highlighted here, there are many factors that determine whether Salesforce Government Cloud is the right choice. The individual organization’s needs and constraints drive these decisions. Vectr Solutions has helped U.S Government contractors across many industries make these decisions. Our team at Vectr Solutions understands the strengths and constraints of both Salesforce Government Cloud and Commercial Cloud and can guide customers in the direction that fits their unique needs. We build customized solutions that meet those needs and ensure compliance and security across all aspects of Salesforce and any products that the solutions integrate with.