SASECompare
deep-dive11 min read

The SASE Compliance Gap: FedRAMP, HIPAA, and PCI-DSS Across 8 Vendors

Compliance scores are not uniform. We ran 5 checks (SOC 2/ISO, FedRAMP, HIPAA-BAA, PCI-DSS, DORA/NIS2) across 8 SASE vendors. Two score 100%. One scores 20%.

SASECompare Research
|

Compliance Is the Silent Deal-Breaker

Most SASE bake-offs are won or lost on throughput charts and feature matrices. But for buyers in government, financial services, and healthcare, none of that matters if the vendor cannot clear procurement's compliance gate. A missing FedRAMP authorization or an unsigned HIPAA Business Associate Agreement (BAA) is not a footnote. It is a hard stop.

The comforting assumption is that the major SASE platforms are all roughly equivalent on compliance. After all, they are large security companies. Surely they all hold the certifications a regulated enterprise needs?

They do not. We ran 5 compliance checks across all 8 vendors, and the spread is enormous. At the top, two vendors pass everything. At the bottom, one vendor fails three of the five checks as a SASE service provider. This is the SASE compliance gap, and if you buy in a regulated sector, it is the single most consequential difference between these platforms.

The Scorecard

RankVendorYESPARTIALNOScore
1Zscaler500100%
1Netskope500100%
3Cloudflare41090%
4Palo Alto Networks32080%
4Cisco32080%
6Check Point31170%
6Cato Networks23070%
8Fortinet02320%

The headline number is Fortinet's 20%. As a SASE service, FortiSASE fails FedRAMP, fails HIPAA-BAA, and fails PCI-DSS, and holds only a partial pass on SOC 2 / ISO and on DORA / NIS2. Meanwhile Zscaler and Netskope clear all five checks cleanly. A 5x gap between the top and bottom of a supposedly commoditized market is not noise. It is the story.

The five checks are the ones regulated buyers actually get asked about in an RFP: SOC 2 Type II plus ISO 27001/27017, FedRAMP authorization, HIPAA compliance with a signed BAA, PCI-DSS as a service provider, and DORA / NIS2 support for EU customers.

The Baseline: SOC 2 and ISO 27001

Does the vendor hold SOC 2 Type II, ISO 27001, and ISO 27017?

VendorScoreKey Detail
ZscalerYESSOC 2 Type II plus ISO 27001, 27017, and 27018, audited annually by Schellman
NetskopeYESSOC 2 Type 2 since 2012, plus ISO 27001:2022, 27017, and 27018
Palo Alto NetworksYESSOC 2+ (adds HIPAA Security Rule alignment) plus the full ISO 27000 suite; Prisma Access in scope
CiscoYESUmbrella / Secure Access SOC 2 Type II plus ISO 27001, 27017, 27018
Cato NetworksYESSOC 2 Type II, SOC 3, ISO 27001, 27017, 27018, and 27701
Check PointYESHarmony SASE SOC 2 Type 2 plus ISO 27001/27002 and 27017
CloudflarePARTIALSOC 2 Type II and ISO 27001:2022, but does NOT hold ISO 27017
FortinetPARTIALFortiSASE has a SOC 2 Type II report, but ISO 27001 is scoped to FortiGuard/FortiCloud, not FortiSASE

Even the "table stakes" check is not uniform. Six vendors hold all three certifications outright. Cloudflare falls short on ISO 27017, the cloud-specific controls standard, holding only 27001, 27018, and 27701. Fortinet's gap is more subtle and more important: FortiSASE is named in the SOC 2 report, but Fortinet's ISO 27001 certificate is scoped to the FortiGuard and FortiCloud portfolios and does not explicitly cover the FortiSASE service. Scope is everything in compliance, and a certificate that names a different product does not help your auditor.

FedRAMP: The Single Biggest Divider

Is the platform FedRAMP authorized (Moderate or High)?

VendorScoreKey Detail
ZscalerYESFedRAMP High: ZIA and ZPA hold High ATO; the Zero Trust Exchange is Moderate and High authorized
NetskopeYESNetskope GovCloud holds FedRAMP High (ATO sponsored by the Dept. of Veterans Affairs)
Palo Alto NetworksYESPrisma SASE authorized at both Moderate (2021) and High (Dec 2024)
CiscoYESUmbrella for Government at FedRAMP Moderate (ATO Aug 1, 2024); commercial Umbrella is not authorized
Check PointYESInfinity Platform for Government at FedRAMP Moderate (Sep 2025); not the commercial Harmony SASE tenant
CloudflareYESCloudflare for Government at FedRAMP Moderate (Rev5, Dec 2022); In Process for High
Cato NetworksPARTIALNot yet authorized; only initiated the FedRAMP High process with 3PAO Coalfire on Mar 12, 2026
FortinetNOFortiSASE is not authorized and not In Process; Fortinet has GovRAMP (not FedRAMP), covering FortiGuard/FortiCare

FedRAMP is where the field splits hardest. Six vendors hold an authorization, but read the boundary carefully: in almost every case it is a dedicated government variant (Umbrella for Government, Cloudflare for Government, Infinity Platform for Government, Netskope GovCloud), not the commercial SASE tenant you would deploy by default. The authorized product is not always the product the salesperson is demoing.

Two vendors cannot serve federal buyers today. Cato Networks only initiated its FedRAMP High process on March 12, 2026 with 3PAO Coalfire, so it is in-process at best and does not yet appear as authorized on the FedRAMP Marketplace. Fortinet is further back: FortiSASE is not even listed as In Process. Fortinet's 2025 GovRAMP authorization is a state-and-local framework, not the federal FedRAMP, and it covers FortiGuard AI services and FortiCare, not FortiSASE. If your buyer is a US federal agency or a contractor with a FedRAMP mandate, Cato and Fortinet are off the table until that changes. The Cato vs Zscaler gap here is stark: FedRAMP High and shipping versus a process that started months ago.

HIPAA: Who Will Actually Sign a BAA

Does the vendor support HIPAA compliance with a signed Business Associate Agreement?

VendorScoreKey Detail
ZscalerYESSupports HIPAA and will sign a BAA covering the use and disclosure of PHI/ePHI
NetskopeYESAssessed against the HIPAA Security and Breach Notification Rules; will sign a BAA (BAA prevails for HIPAA data)
CloudflareYESSigns a BAA, but only for Enterprise customers; in-scope services include Zero Trust access/DLP
Palo Alto NetworksPARTIALSOC 2+ aligns to the HIPAA Security Rule and offers a BAA, but eligibility is scope- and use-case-dependent
CiscoPARTIALPublishes a standard BAA, but Umbrella/Secure Access is not explicitly named as a covered service
Cato NetworksPARTIALHolds a HIPAA attestation and supports HIPAA via IPS/DLP/encryption, but a signed BAA is not documented
Check PointPARTIALMarkets HIPAA support, but no signed BAA is documented on its compliance pages
FortinetNOFortiSASE is not among Fortinet's HIPAA-aligned products; no BAA for FortiSASE is documented

A BAA is a legal requirement, not a marketing claim. For a healthcare organization, a HIPAA-aligned security control set is worthless without a signed Business Associate Agreement, because the BAA is what makes the vendor legally accountable for protected health information. The distinction on this row is not "does the vendor mention HIPAA" but "will they put their name on a BAA that covers the SASE service."

Only three vendors clearly clear that bar: Zscaler, Netskope, and Cloudflare (the latter gated to Enterprise contracts). Four vendors sit at PARTIAL, where a BAA either exists but does not explicitly name the SASE service (Cisco, Cato), is scope-dependent (Palo Alto), or is simply undocumented (Check Point). Fortinet is a clean NO: FortiSASE is not on Fortinet's list of HIPAA-aligned products at all. Healthcare buyers should treat every PARTIAL as a homework item and get the BAA scope in writing before signing.

PCI-DSS: Certified Service Provider vs. "Helps You Comply"

Is the platform compliant with PCI-DSS as a service provider for cardholder data environments?

VendorScoreKey Detail
ZscalerYESPCI DSS v4.0.1 Attestation of Compliance (SAQ D, Aug 2025), overall COMPLIANT as a service provider
NetskopeYESPCI DSS v4.0.1 compliance documented; AoC available to customers on request
Cato NetworksYESPCI-DSS Service Provider Level 1; first SASE platform to achieve PCI DSS v4.0 as a service provider
CloudflareYESPCI DSS Level 1 Service Provider since 2014, latest attestation aligned to PCI DSS 4.0
Palo Alto NetworksPARTIALLists PCI DSS in its trust center, but no clear published AoC for Prisma Access as a service provider
CiscoPARTIALProvides PCI DSS DLP templates, but no public AoC for Umbrella/Secure Access as a service provider
Check PointNOCompliance pages enumerate SOC 2, ISO, HIPAA, GDPR, CIS, but not PCI-DSS; no service-provider AoC
FortinetNONo documented AoC for FortiSASE as a service provider; positioned to help customers comply, not certified

Here is a standout fact worth pausing on: Cato Networks was the first SASE platform vendor to achieve PCI DSS v4.0 compliance as a Level 1 Service Provider, the highest level. It is a notable win for a vendor that trails badly on FedRAMP, and it shows that compliance leadership is domain-specific, not a blanket property of a "good" vendor.

The critical distinction on this row is between holding an Attestation of Compliance (AoC) as a service provider versus merely shipping features that "help customers meet PCI-DSS." Four vendors hold a real service-provider attestation. Palo Alto and Cisco land at PARTIAL: they reference PCI-DSS and provide supporting controls, but there is no clear published AoC covering the SASE service itself (documentation is typically NDA-gated). Check Point and Fortinet are both NO, with no service-provider attestation documented for the SASE offering. For retail and payments buyers, "helps you comply" transfers all the audit burden back to you.

DORA and NIS2: Guidance Is Not Certification

Does the vendor provide DORA and NIS2 support for EU customers?

DORA became mandatory for EU financial services in January 2025, and NIS2 applies to essential and important entities across the bloc. On this check the field is tighter, because DORA and NIS2 are regulatory frameworks rather than certifications you pass. Six vendors score YES: Zscaler (NIS2 white papers plus DSPM control mappings for DORA), Netskope (dedicated guides mapping all five DORA pillars and the ten NIS2 Article 21 measures), Palo Alto Networks (NIS2 materials plus a Deutsche Telekom sovereign-security partnership addressing DORA/KRITIS), Cisco (NIS2 and DORA solution briefs with framework mapping), Cloudflare (a DORA Article 30 mapping document and a NIS2 strategy hub), and Check Point (DORA/NIS2 delivered as advisory services through Infinity Global Services).

Cato Networks and Fortinet both score PARTIAL here, but for opposite reasons. Cato leans on its SASE sovereignty model (single data/control plane, regional PoP processing, and regional legal entities in the Netherlands, Germany, France, and Italy) plus NIS2 guidance, which is genuine platform enablement but not a formal control-mapping attestation. Fortinet publishes DORA and NIS2 glossary and white-paper content but offers no FortiSASE-specific mapping. The broader caution: on DORA and NIS2, almost everything on the market is guidance and support material, not certification. Do not let a vendor's DORA white paper substitute for the SOC 2 and FedRAMP evidence your auditor actually needs.

What This Means for Regulated Buyers

Match the certification to the sector

The scorecard is not a single ranking you can read top to bottom. It is five separate gates, and which one matters depends on who you are:

  • US federal / public sector: FedRAMP is the gate. Zscaler (High), Netskope (High), and Palo Alto (High) lead; Cisco, Check Point, and Cloudflare hold Moderate government variants. Cato is only in-process, and Fortinet has no FedRAMP at all.
  • Healthcare: the BAA is the gate. Zscaler and Netskope will sign cleanly; Cloudflare will on Enterprise; everyone else is a homework item or, for Fortinet, a NO.
  • Retail and payments: the service-provider PCI-DSS AoC is the gate. Zscaler, Netskope, Cato, and Cloudflare hold one.
  • EU financial services: DORA and NIS2 support is broad, but demand control mappings, not marketing collateral.

The recurring trap across FedRAMP, HIPAA, and PCI-DSS is scope. A vendor can hold an authorization that covers a government-only variant, a different product line, or a use case you are not buying. The full compliance comparison documents each boundary with source links so you can confirm the certificate names the service you will actually deploy.

The Bottom Line

Compliance is the one SASE evaluation category where the vendors are genuinely not interchangeable. Zscaler and Netskope pass all five checks and are the safest defaults for a heavily regulated buyer that needs FedRAMP High, a signed HIPAA BAA, and PCI-DSS in one platform. Cloudflare (90%) and the two 80% vendors, Palo Alto Networks and Cisco, are strong but carry specific gaps you must scope. Check Point and Cato both land at 70% with different weak spots: Check Point on PCI-DSS, Cato on FedRAMP.

And then there is Fortinet at 20%. FortiSASE is a capable security product, but as a service it fails FedRAMP, HIPAA-BAA, and PCI-DSS certification today. That is not a reason to dismiss it for every use case, but it is a decisive one if you sell to government, treat patient data, or process cardholder information. The Cato vs Fortinet and Netskope vs Zscaler matchups make the same point from different angles: the compliance floor varies more than the feature ceiling.

Before you shortlist, decide which of the five gates is non-negotiable for your sector, then verify the boundary in the source documentation. Browse the full comparison library or build an RFP weighted to your compliance requirements so the vendors answer the questions your auditor will actually ask.


Methodology: All findings are drawn from SASECompare independent research across 5 compliance checks. Ratings reflect documented capabilities from public vendor documentation, trust centers, compliance portals, press releases, and the FedRAMP Marketplace as of 2026. Vendors were not notified or consulted, and there is no pay-for-inclusion. See the [full comparison page](/compare/compliance-certifications) for per-vendor, per-check source citations. Certification scope changes frequently, so confirm the current authorization boundary directly with each vendor before contracting.


Browse all vendor matchups

sase-compliancefedramphipaapci-dssdoranis2soc-2iso-27001vendor-comparison2026
Share

Regulated buyer? Get a compliance-weighted vendor report that verifies FedRAMP, HIPAA BAA, and PCI-DSS scope against your specific sector requirements.

Get Your Custom Report
Feedback

Help me make this better

This is a one-person project. Your input directly shapes what gets added, fixed, or prioritized next.