Securing Critical Infrastructure for the Public Sector

Federal agencies are investing in modernizing their digital infrastructure. They need more data center capacity and new capabilities to keep up with data growth and meet demand for advanced technologies like AI. However, these investments can have unintended consequences: They make an attractive target for state-sponsored hacker groups and other cybercriminals.

Just like criminals have traditionally targeted banks because that’s where the money is, today’s cybercriminals are targeting data centers because that’s where the data is. Data has become an asset with tremendous value, and agencies need a strategy that accounts for the risks facing their data and applies the latest tools and best practices to mitigate those risks.

A recent example of the threats facing agencies is the Salt Typhoon attacks, when a Chinese hacking group breached several major telco providers as part of a global espionage campaign. According to the FBI, the attacks were the most egregious national security breach in U.S. history by a nation-state hacking group.[1]

It’s noteworthy that some of the vulnerabilities exploited by the hackers were simple flaws that had been documented years earlier. The lesson is that agencies don’t always need to build a new fortress around their critical infrastructure. Sometimes they just need to make sure the back door stays locked—and that means prioritizing basic cyber hygiene practices like password policies and endpoint security.

Agencies expect their partners to implement standards that help ensure a secure infrastructure environment. At Equinix, we know that our public sector customers are facing significant cybersecurity challenges, and we aim to be a valuable partner that puts them in a better position to address these challenges.

Building a secure infrastructure environment for public sector customers

Equinix is a global digital infrastructure provider that’s working to implement standard services and protections across all our Equinix IBX® colocation data centers. We understand that our data centers represent critical infrastructure for our customers, and they need to be protected accordingly.

We follow a shared responsibility model for cybersecurity that outlines what we do to help protect our customers and what our customers are expected to do for themselves. Under the model, we are responsible for maintaining physical and environmental data center security for the facilities in which our customers host their equipment.

This includes implementing multiple layers of access control to identify unauthorized visitors and deny them access. We also use CCTV cameras, motion sensors and biometric scanners placed throughout our facilities, so that even when an authorized visitor is granted access to one of our sites, we can still ensure that they’re only accessing the specific equipment that they have a valid reason to access. In addition to the standard security controls we provide for commercial customers, Equinix can accommodate specific requirements for public sector customers, including preventing access to foreign nationals (NOFORN) and secondary access controls.

FISMA attestation helps customers and partners meet their regulatory requirements

In the U.S., we have invested to meet the physical and environmental security requirements of the Federal Information Security Management Act for high-impact systems (FISMA High). This can help make it easier for our public sector customers to meet their regulatory requirements.

CIOs within federal agencies understand that they’re responsible for demonstrating that all the on-premises IT systems used on their behalf are FISMA compliant. For the past several years, our team has provided system security documentation from an independent assessor as part of our FISMA self-accreditation strategy. When our government customers need to demonstrate that they’re using FISMA-accredited colocation services, they can simply incorporate the documentation we’ve already produced as part of their overall system security plan.

Our documentation efforts also support compliance with the Federal Risk and Authorization Management Program (FedRAMP), which is essentially the cloud counterpart to FISMA. Since Equinix is not a cloud provider and doesn’t directly access our customers’ data, we do not pursue FedRAMP compliance ourselves. However, the Equinix ecosystem does include many cloud providers, some of which use our FISMA self-accreditation documentation as the basis for their own FedRAMP submissions. Thus, when our customers access FedRAMP-compliant cloud services from our ecosystem partners, they may be indirectly benefiting from the documentation that our team has produced over the years.

Implementing accreditation best practices

At Equinix, we’re also dedicated to protecting any business information that our public sector customers share with us. This includes safeguarding any information that’s defined as Federal Contract Information (FCI). To achieve this goal, we’re pursuing compliance with relevant government regulations.

For instance, the U.S. Department of Defense has implemented the Cybersecurity Maturity Model Certification (CMMC) to improve cybersecurity standards by requiring contractors in the defense industrial base to pass rigid compliance audits as part of their accreditation. At Equinix, our CMMC accreditation efforts are currently in progress, and we plan for these efforts to include protections for Controlled Unclassified Information (CUI). This will put us in a better position to serve as a valuable partner to our public sector customers.

To help ensure our CUI environment meets regulations, we hired a certified third-party assessment organization (C3PAO) as a strategic advisor. This has helped us enhance our data security system and conduct a mock audit to assess our systems before conducting a formal C3PAO assessment.

It’s important to note that federal cybersecurity regulations align with established cybersecurity standards, such as those outlined in NIST SP 800-171.[2] Compliance is obviously important, and it’s not something we do just to “check the box.” We see CMMC as a driver to help us further enhance our cybersecurity capabilities and demonstrate these capabilities to our customers.

Equinix is a global provider of world-class colocation and interconnection services, and we serve customers across all industry sectors. We know that our federal customers have unique cybersecurity requirements, and we are dedicated to going the extra mile to help them meet these requirements. So, we built a special environment to process, store and transmit sensitive information on behalf of our U.S. government customers. And, although CMMC requirements don’t apply directly to commercial customers, we believe that those customers can still take advantage of the capabilities we’ve gained as we’ve pursued compliance.

We also believe that cybersecurity is an ongoing process. We know that one successful audit doesn’t mean that our job is done; we’ll continue to do what’s necessary to adhere to cybersecurity standards and keep up with an evolving threat landscape. Providers need the flexibility to adjust policies over time to keep up with changing regulations. At Equinix, we’re able to achieve this thanks to a close partnership between our legal and information security (infosec) teams. Legal monitors regulatory developments over time and alerts infosec to any upcoming changes. This ensures that our infosec team is able to adjust accordingly.

We’ve worked hard to put ourselves in a position to be successful with our CMMC audit, and that doesn’t happen by accident. It happens because the company is dedicated to being the trusted partner agencies need to keep their critical infrastructure protected. That’s also why we’ve been able to meet FISMA High certification standards for physical and environmental security across all our colocation data centers in the U.S.

As a global digital infrastructure provider, we’re also working to protect information from public sector customers in other parts of the world. One example of this is our compliance with the Infosec Registered Assessors Program (IRAP) in Australia.

Learn more about how Equinix has made protecting our data centers a top priority: Access our governance report.

[1] David DiMolfetta, US agencies assessed Chinese telecom hackers likely hit data center and residential internet providers, Nextgov/FCW, June 9, 2025.

[2] Traci Spencer, What Is the NIST SP 800-171 and Who Needs to Follow It? NIST Manufacturing Innovation Blog, October 8, 2019.