0

I am working on a project where the data needs to be HIPAA and FISMA compliant. I would like to know if SQL Server Enterprise edition is FISMA compliant.

marc_s
  • 732,580
  • 175
  • 1,330
  • 1,459
Rick
  • 1,392
  • 1
  • 21
  • 52
  • 6
    SQL Server is neither HIPAA nor FISMA compliant out of the box. It offers features that make complying with such standards *possible* (like Always Encrypted, data masking and auditing) but there is no magic switch you can throw that suddenly ensures compliance, and this is generally true for any data storage technology. These standards are about proper procedures and knowing what happens with your data (and documenting that), not (first and foremost) about the technology used in the implementation. – Jeroen Mostert Jul 02 '19 at 15:30
  • Understood. So it's all about the ability that the technology provides (like encrypting/encoding everything) that decides the compliance. right? – Rick Jul 02 '19 at 15:46
  • 4
    My point is more that compliance has almost nothing to do with the technology you use. No technology will automatically make you compliant just by using it, but also, no technology will automatically mean you're *not* compliant (well, except in extreme cases, like if you post every piece of data you get instantly to a public Twitter account, that's probably never compliant). Even if your database server had no features at all for encryption, it would be possible to use it in a compliant manner, it would just mean you had to do more work. The bulk of the work is thinking and documenting. – Jeroen Mostert Jul 02 '19 at 15:50
  • ok thanks @JeroenMostert – Rick Jul 02 '19 at 18:04
  • not the sql server..but the cloud can be. Here is interesting read: https://learn.microsoft.com/en-us/microsoft-365/compliance/offering-fedramp?view=o365-worldwide#use-microsoft-compliance-score-to-assess-your-risk – Channa Sep 06 '20 at 14:08

0 Answers0