Securing Critical Infrastructure for the Public Sector

Editor’s Note: This blog was originally published in August 2025. It was updated in January 2026 to include the latest information.

Federal agencies are investing in modernizing their digital infrastructure. They need more data center capacity and new capabilities to keep up with data growth and meet demand for advanced technologies like AI. However, these investments can have unintended consequences: They make an attractive target for state-sponsored hacker groups and other cybercriminals.

Just like criminals have traditionally targeted banks because that’s where the money is, today’s cybercriminals are targeting data centers because that’s where the data is. Data has become an asset with tremendous value, and agencies need a strategy that accounts for the risks facing their data and applies the latest tools and best practices to mitigate those risks.

A recent example of the threats facing agencies is the Salt Typhoon attacks, when a Chinese hacking group breached several major telco providers as part of a global espionage campaign. According to the FBI, the attacks were the most egregious national security breach in U.S. history by a nation-state hacking group.[1]

It’s noteworthy that some of the vulnerabilities exploited by the hackers were simple flaws that had been documented years earlier. The lesson is that agencies don’t always need to build a new fortress around their critical infrastructure. Sometimes they just need to make sure the back door stays locked—and that means prioritizing basic cyber hygiene practices like password policies and endpoint security.

Agencies expect their partners to implement standards that help ensure a secure infrastructure environment. At Equinix, we know that our public sector customers are facing significant cybersecurity challenges, and we aim to be a valuable partner that puts them in a better position to address these challenges.

Building a secure infrastructure environment for public sector customers

Equinix is a global digital infrastructure provider that’s working to implement standard services and protections across all our Equinix IBX® colocation data centers. We understand that our data centers represent critical infrastructure for our customers, and they need to be protected accordingly.

We follow a shared responsibility model for cybersecurity that outlines what we do to help protect our customers and what our customers are expected to do for themselves. Under the model, we are responsible for maintaining physical and environmental data center security for the facilities in which our customers host their equipment.

This includes implementing multiple layers of access control to identify unauthorized visitors and deny them access. We also use CCTV cameras, motion sensors and biometric scanners placed throughout our facilities, so that even when an authorized visitor is granted access to one of our sites, we can still ensure that they’re only accessing the specific equipment that they have a valid reason to access. In addition to the standard security controls we provide for commercial customers, Equinix can accommodate specific requirements for public sector customers, including preventing access to foreign nationals (NOFORN) and secondary access controls.

FISMA attestation helps customers and partners meet their regulatory requirements

In the U.S., we have invested to meet the physical and environmental security requirements of the Federal Information Security Management Act for high-impact systems (FISMA High). This can help make it easier for our public sector customers to meet their regulatory requirements.

CIOs within federal agencies understand that they’re responsible for demonstrating that all the on-premises IT systems used on their behalf are FISMA compliant. For the past several years, our team has provided system security documentation from an independent assessor as part of our FISMA self-accreditation strategy. When our government customers need to demonstrate that they’re using FISMA-accredited colocation services, they can simply incorporate the documentation we’ve already produced as part of their overall system security plan.

Our documentation efforts also support compliance with the Federal Risk and Authorization Management Program (FedRAMP), which is essentially the cloud counterpart to FISMA. Since Equinix is not a cloud provider and doesn’t directly access our customers’ data, we do not pursue FedRAMP compliance ourselves. However, the Equinix ecosystem does include many cloud providers, some of which use our FISMA self-accreditation documentation as the basis for their own FedRAMP submissions. Thus, when our customers access FedRAMP-compliant cloud services from our ecosystem partners, they may be indirectly benefiting from the documentation that our team has produced over the years.

Implementing accreditation best practices

Equinix is a global provider of world-class colocation and interconnection services, and we serve customers across all industry sectors. We know that our federal customers have unique cybersecurity requirements, and we are dedicated to going the extra mile to help them meet these requirements.

For instance, the U.S. Department of Defense has implemented the Cybersecurity Maturity Model Certification (CMMC) to improve cybersecurity standards by requiring contractors in the defense industrial base to pass rigid third-party compliance assessments.

As part of our accreditation efforts and to meet our customers’ needs, we implemented an enclave to safeguard Controlled Unclassified Information (CUI). To enhance our data security system and help ensure our new CUI enclave met regulations, we hired a certified third-party assessment organization (C3PAO) as a strategic advisor and to conduct a mock assessment of our systems.

Our focus on data security resulted in a successful formal CMMC Level 2 assessment by a separate C3PAO. We also assessed our enterprise applications against controls designed to safeguard Federal Contract Information (FCI). This puts us in a better position to serve as a valuable partner to our public sector customers.

It’s important to note that federal cybersecurity regulations align with established cybersecurity standards, such as those outlined in NIST SP 800-171.[2] Compliance is obviously important, and it’s not something we do just to “check the box.” Our investment in CMMC accreditation has helped enhance our cybersecurity capabilities and demonstrate these capabilities to our customers.

Although most Department of Defense data security requirements don’t apply directly to commercial customers, we believe all customers can take advantage of the capabilities we gained as we pursued compliance, while benefitting from the FCI enterprise data security controls.

We believe that cybersecurity is an ongoing process, and know that one successful audit doesn’t mean that our job is done. We’ll continue to do what’s necessary to adhere to cybersecurity standards and keep up with an evolving threat landscape. Providers need the flexibility to adjust policies over time to keep up with changing regulations. At Equinix, we’re able to achieve this thanks to a close partnership between our legal and information security (infosec) teams. Legal monitors regulatory developments over time and alerts infosec to any upcoming changes. This ensures that our infosec team is able to adjust accordingly.

We worked hard to put ourselves in a position to be successful with our CMMC audit, and that doesn’t happen by accident. It happened because the company is dedicated to being the trusted partner agencies need to keep their sensitive information protected. That’s also why we’ve been able to meet FISMA High certification standards for physical and environmental security across all our colocation data centers in the U.S.

As a global digital infrastructure provider, our work to protect public sector customer information extends to customers in other parts of the world. One example of this is our compliance with the Infosec Registered Assessors Program (IRAP) in Australia.

Learn more about how Equinix has made protecting our data centers a top priority: Access our governance report.

[1] David DiMolfetta, US agencies assessed Chinese telecom hackers likely hit data center and residential internet providers, Nextgov/FCW, June 9, 2025.

[2] Traci Spencer, What Is the NIST SP 800-171 and Who Needs to Follow It? NIST Manufacturing Innovation Blog, October 8, 2019.