FedRAMP Authorized — Moderate Impact
Heroku Shield by Salesforce. 6 compliance features verified.
Heroku Shield
by Salesforce
Impact Level
Moderate
Status
Authorized
Pricing
mid market
Authorization Date: March 22, 2020 | Sponsoring Agency: GSA
Overview
Heroku Shield is a compliance-focused PaaS that extends the Heroku developer experience with FedRAMP Moderate security controls. It provides private spaces, trusted IP ranges, and enhanced logging for regulated workloads. Heroku Shield simplifies compliance while maintaining developer productivity.
Key Features
Certifications & Authorizations
Deployment Options
NIST 800-171 Compliance Coverage
How to Procure Heroku Shield for Defense Contracts
Heroku Shield is available through GSA MAS (Multiple Award Schedule) under Special Item Number (SIN) 518210C for Platform as a Service. Contracting officers can also procure via SEWP VI for IT services or utilize existing Salesforce enterprise agreements that include Heroku Shield entitlements. Government pricing typically includes volume discounts of 10-15% off commercial rates for annual commitments exceeding $100K. The authorization boundary encompasses Heroku Shield Private Spaces, Shield Postgres databases, and associated logging infrastructure within AWS FedRAMP regions. Contracting officers must approve the System Security Plan (SSP) addendum that documents how agency applications inherit Heroku Shield's security controls while maintaining responsibility for application-level security controls (AC-2, AC-3, AU-2). The typical procurement timeline spans 45-90 days including technical evaluation, pricing negotiations, and ATO boundary documentation. For CMMC Level 2 compliance, include Heroku Shield within your assessment boundary as a 'specialized asset' providing platform services for CUI processing. Document the shared responsibility model clearly, noting that Heroku Shield provides infrastructure and platform controls (SC-7, SC-8, AU-12) while the agency maintains responsibility for application access controls and data classification. Ensure your SPRS score reflects the FedRAMP Moderate baseline when hosting CUI workloads on the platform.
Compliance Cross-References
Heroku Shield's FedRAMP Moderate authorization directly supports DFARS 252.204-7012 compliance by providing adequate security controls for CUI processing, including encryption at rest (SC-28) and in transit (SC-8). For DFARS 252.239-7010 cloud services clause, the platform meets Government data location requirements with AWS FedRAMP regions and provides required incident response capabilities. NIST 800-171 control families are substantially addressed: Access Control (AC) through RBAC and SSO integration, System and Communications Protection (SC) via network segmentation and encryption, and Audit and Accountability (AU) through comprehensive logging and monitoring. CMMC Level 2 domains align well with Heroku Shield capabilities - Asset Management through inventory controls, Access Control via identity federation, System and Information Integrity through vulnerability management, and Security Assessment through continuous monitoring. The platform's shared responsibility model satisfies DoD Cloud Computing SRG IL-2 requirements for moderate impact systems, providing baseline security controls while allowing agencies to implement mission-specific controls for their applications and data.
Defense Contractor Use Case
Defense contractors use Heroku Shield for rapid prototyping and deploying customer-facing applications that require FedRAMP Moderate authorization without the overhead of managing infrastructure.
Related Products
More Platform as a Service Products
Related Compliance Assessments
Frequently Asked Questions
What is the FedRAMP authorization level for Heroku Shield?
Heroku Shield is authorized at the FedRAMP Moderate impact level, with authorization granted on 2020-03-22 sponsored by GSA. The FedRAMP Moderate baseline includes approximately 325 security controls covering confidentiality, integrity, and availability.
Can defense contractors use Heroku Shield for CUI?
Heroku Shield is authorized at the FedRAMP Moderate baseline. While FedRAMP Moderate covers a broad range of government data, defense contractors handling CUI should carefully evaluate whether Moderate controls meet their specific DFARS 252.204-7012 and NIST 800-171 requirements. Some CUI categories may require FedRAMP High authorization depending on the sensitivity of the data and contract requirements.
How does Heroku Shield pricing compare to commercial?
Heroku Shield government pricing is generally competitive with commercial pricing, though the government edition may carry a premium of 10-20% to cover FedRAMP compliance and dedicated infrastructure costs. Mid-market organizations can often access government pricing through GSA Schedule contracts or reseller partners. Contact Salesforce for a quote tailored to your organization size and requirements.
Browse All FedRAMP Authorized Tools
Search and filter 80+ FedRAMP authorized products for your defense contracting needs.
Open FedRAMP FinderTrack Heroku Shield FedRAMP compliance updates with AI-powered intelligence
Signals matches SAM.gov opportunities to your profile, monitors regulatory changes, and alerts you before competitors. Free for 90 days.
Start Free — 90 Days