Akka - Enabling the Cloud to Edge Continuum - Read Blog
Support

Compliance

Lightbend is a SOC 2 compliant organization beginning with the newest version of Akka v23.05 released April 25, 2023, and will be NIST 800-53(r5) compliant in a near future release.

Lightbend will provide with Akka v23.05 and onwards first party attestation to conformance with the requirements of NIST SP 800-53, revision 5, including our mapping to the Secure Software Development Framework (SSDF) and our use of NIST recommended secure development practices, including an SBOM in conformance with EO 14028 and NTIA guidance.

NOTE: Licensing Akka ensures organizations that the version of Akka they are running in production will have all of the latest known vulnerabilities patched and maintain compliance with the standards as listed below.

All earlier or open source versions prior to Akka v23.05 are NOT compliant. Visit Pricing for information on Akka development and production license packages.

SOC 2 standards

Relevant sections from the standards for running Akka in production:

SOC 2

Vendor Management Process, Vendor Compliance Review

  • CC1.4, CC3.2, CC3.4, CC9.2
  • Vendor's compliance must be verified annually

Patch Management

  • CC7.5

Vulnerability Scanning and Remediation

  • CC4.1, CC7.1, CC7.4

Software Development Lifecycle

  • CC8.1
  • Refers to OWASP standards and dependency check

Users of Akka Open Source

Lightbend has committed to patch Severity 1 / Critical vulnerabilities only in the final open source version of Akka (v2.6) until September 2023.

All other vulnerabilities and bugs are only fixed and patched in licensed versions of Akka. The current licensed version of Akka (23.05) has the following vulnerabilities patched:

  • CVE-2022-42003
  • CVE-2020-36518
  • CVE-2022-42004
  • CVE-2022-42003
  • CVE-2022-22970
  • CVE-2022-22950
  • CVE-2022-22971
  • CVE-2022-22968
  • CVE-2020-13957
  • CVE-2021-37404
  • CVE-2022-25168
  • CVE-2022-26612
  • CVE-2020-9492
  • CVE-2017-15713
  • CVE-2021-22569
  • CVE-2023-29471
  • CVE-2023-31442
  • CVE-2022-41915
  • CVE-2022-3509
  • CVE-2022-3510
  • CVE-2022-3171
  • CVE-2023-33251

NOTE: Maintaining compliance with SOC 2 and NIST 800-53(r5) standards requires licensing and updating production systems to Akka v23.05.

Visit Pricing for information on Akka development and production license packages.

NIST SP 800-53, Revision 5 Attestation

  • NIST compliance means adhering to the security standards and best practices set forth by the government agency for the protection of data used by the government and its contractors
  • It is mandatory for all U.S. federal information systems except those related to national security
  • Federal agencies must only use software provided by software producers who can attest to complying with the NIST SDDF, including full supply-chain validation and software bill-of-materials in the proper form.
  • Federal Agencies must begin collecting attestation letters for “critical software” by June 14, 2023 and for all other software by September 14, 2023

For Federal Government Departments and Agencies: Those using Akka v23.05 or future versions of Akka can use this attestation as evidence in their own software supply chain attestation.

Previous versions of Akka, including all open source versions will not comply and therefore any products built using earlier versions of Akka will be out of compliance and will not be eligible to be sold to United States Federal Government Departments and Agencies .

NOTE: Licensing Akka ensures agencies that the version of Akka they are running in production will have all of the latest known vulnerabilities patched and maintain compliance with NIST 800-53(r5) requirements.

Visit Pricing for information on Akka development and production license packages.

Contact Us About Akka

We'd love to learn about your requirements, answer your unique questions, and review ways that Lightbend can help you and your organization.