For regulated sectors and public agencies considering cloud-delivered solutions, trust is essential—and regulatory certifications are the tangible proof that their vendors meet security expectations. In practice, many vendors point to a single audit or framework as proof of security maturity. That may satisfy a checkbox, but for government agencies and regulated industries, real trust is built through multiple, independent validations — spanning operations, software development, and cryptography — and sustained over time.
Over the past 18–24 months, Ericsson has made significant, companywide investments to meet that higher bar. The result is the security posture for Ericsson NetCloud and select Ericsson Cradlepoint routers that has been independently validated across two major regulatory certifications, including ISO 27001, and FIPS 140
These achievements are not about compliance for compliance’s sake. They reflect the deep commitment Ericsson applies to design, build, and operate cloud delivered solutions for customers with the most demanding security requirements — from federal agencies and public safety organizations to highly regulated enterprises. “Security is not just a set of features — it requires verifiable processes, continuous monitoring, and a defensible evidence trail,” says Selma Coutinho, Head of Security for Ericsson Enterprise Wireless.
Here’s what each achievement means—and why it matters to federal, state, and local agencies:
Certifications
ISO 27001 - ISO 27001 certifies Ericsson’s Information Security Management System (ISMS) as robust, auditable, and continuously improving. Achieving it required thousands of hours from Security, IT, Product, R&D, Facilities, and operations. The certification proves Ericsson has repeatable, effective controls to protect data and manage risk, aligned with regulations such as NIS2, GDPR, and EU Cyber Resilience Act. For federal and public-sector customers, ISO 27001 is a global benchmark that reduces vendor risk, eases procurement, and demonstrates security-by-design.
FIPS 140-3 (Cryptographic Module Validation Program) - FIPS 140-3 is the U.S. federal standard for validating cryptographic modules, aligned with ISO/IEC 19790 and enforced by the CMVP. It defines strict requirements across 11 test areas—covering software/firmware security, noninvasive tests, and self-tests. Select Ericsson Cradlepoint routers hold FIPS 140-3 validations, verifying tested cryptography for data in transit and at rest. Agencies and public-safety buyers often require FIPS validation, supporting compliant procurement.
Attestations
SOC 2 Type II - SOC 2 Type II is an independent attestation by an AICPA-authorized auditor assessing security controls over time. For Ericsson NetCloud, the audit covered NetCloud Manager and NetCloud SASE, examining 62 controls across 10 IT services. This effort required over 600 hours from 33 team members and earned an "Unmodified Opinion," the best result. For public-sector buyers, SOC 2 Type II demonstrates operational maturity and control effectiveness, accelerates risk reviews, and complements government frameworks.
NIST Secure Software Development Framework (SSDF, SP 800-218) - NIST doesn’t certify companies to SSDF; U.S. agencies require software producers to attest they follow SSDF practices via the CISA Common Self Attestation Form or a FedRAMP 3PAO assessment. Ericsson NetCloud’s secure development aligns to SSDF’s four practice groups—Prepare the Organization; Protect the Software; Produce Well Secured Software; Respond to Vulnerabilities—and includes ongoing staff training. For federal and public-sector buyers, SSDF attestation shows process-level supply chain assurance.
Each certification and attestation plays a distinct role in security: SOC 2, and ISO 27001 reinforce cloud and operational protections; SSDF demonstrates secure software development; and FIPS 140-3 ensures cryptographic modules meet stringent standards. Together, these certifications and attestations show that Ericsson NetCloud and select Ericsson Cradlepoint routers are engineered for the security expectations of government: validated cryptography at the module level, demonstrably effective operational controls, an auditable ISMS, and secure‑by‑design software development. That combination shortens security reviews, supports ATO readiness, aligns with evolving policy and gives agencies confidence that our solutions can safeguard sensitive missions at scale.
To learn more about our certifications and attestations —or to request our SOC 2 Type II report and NIST SSDF attestation under NDA—please contact our Customer Security Engagement team at bews.customer.security@ericsson.com.