We are thrilled to announce that A-LIGN has received ISO/IEC 27001:2022 accreditation (ISO 27001) from the ANSI National Accreditation Board (ANAB) on May 17, 2023.  This accreditation expands A-LIGN’s portfolio of ISO certification service offerings, which includes ISO/IEC 27001:2013 (ISO 27001 2013), ISO/IEC 27701:2019 (ISO 27701) and ISO 22301:2019 (ISO 22301) and allows us to remain at the forefront of industry standards.

Curious about the key differences between ISO 27001 2013 and the new 2022 edition? We’ve got you covered with a quick summary of the 9 most important changes. If you’re hungry for more details, tune in to our webinar from April.

1. Updated context and scope

ISO 27001:2022 places increased emphasis on understanding the context of the organization, including its internal and external factors that may impact the information security management system (ISMS). This update encourages organizations to conduct a comprehensive analysis of interested parties, necessary processes, and roles within the ISMS.

2. Statement of Applicability (SoA)

While the requirements for the SoA itself remain largely unchanged, the updated controls in ISO 27001:2022 necessitate a revised SoA. Organizations should review their existing SoA from the 2013 version and make adjustments to incorporate a mapping of the 2022 controls. This demonstrates preparedness for the revised standard and facilitates effective communication with stakeholders.

3. Controlled changes to the ISMS

A notable addition in ISO 27001:2022 is Clause 6.3, which focuses on controlled changes to the ISMS. It requires organizations to carry out planned changes to the ISMS when the need arises, emphasizing the importance of a structured and systematic approach to managing changes within the system.

4. Enhanced operational planning and control

ISO 27001:2022 introduces additional guidance in Clause 8.1 for operational planning and control. Organizations are now required to establish criteria for actions identified in Clause 6 and control those actions accordingly. The standard also highlights the need to control any externally provided processes, emphasizing the importance of managing third-party relationships.

5. Reorganization and reduction of annex controls

One of the most significant changes in ISO 27001:2022 is the reorganization and reduction of annex controls. The number of controls has been reduced from 114 to 93, simplifying the categories and aligning them more effectively with the current hybrid and remote work environments. This update acknowledges the evolving nature of technology and aims to ensure the standard remains relevant and efficient.

6. Introduction of new controls

ISO 27001:2022 introduces 11 new controls in the annex section, covering areas that were already being practiced by organizations but are now formally included in the standard. These new controls address emerging threats and challenges, such as threat intelligence, information security for the use of cloud services, ICT readiness for business continuity, and more.

7. Recategorization of controls

To improve clarity and organization, the controls in ISO 27001:2022 have been recategorized into four main categories: organizational, people, physical, and technological. This reorganization simplifies the structure and enhances the standard’s usability, allowing organizations to more easily identify and implement the relevant controls.

8. Emphasis on needs and expectations of interested parties

ISO 27001:2022 adds a requirement in Clause 9.3 for management review to consider changes in the needs and expectations of interested parties. This highlights the significance of aligning the ISMS with the evolving priorities and requirements of stakeholders, enabling organizations to adapt and respond effectively to changes in their operating environment.

9. New controls for current challenges

The updated standard introduces controls that address current challenges and technologies. As these challenges continue to evolve in the industry, updates focus on staying current and relevant.  For example, controls such as threat intelligence, web filtering, and secure coding.

What’s next?

All organizations that hold a current ISO 27001:2013 certification are required to undergo a transition audit to be certified to the 2022 version. Certification and recertification against ISO 27001:2013 are allowed until April 30, 2024. However, companies should begin to update their ISMS to comply with the requirements in this new revision as soon as possible. Any company currently certified against ISO 27001:2013 must transition no later than October 31, 2025.

To ensure a successful transition, organizations are required to:

  • Perform a gap assessment: Map your existing controls to the newly revised standard and determine what changes your ISMS will need to make to achieve certification under the new version of the standard.  
  • Update the SoA: This document serves as a catalog of controls relevant to the ISMS. At a minimum, the SoA is required to include necessary controls, justification for inclusion, implementation status and justification for exclusion of controls. The SoA may also include risk mapping, control owners, and operating frequencies.
  • Update the risk treatment plan: The risk treatment plan should include the risks relevant to implemented controls, risk responses, risk mitigation owners and administrative items such as timelines, budgets, etc.
  • Implement and verify effectiveness of information security controls: The implementation and effectiveness of new or changed information security controls selected by your organization will be evaluated to ensure they meet the requirements of ISO/IEC 27001:2022.

For more information about the updated ISO 27001 standard and A-LIGN’s certification services, we invite you to watch our webinar or contact us today. Our team of experienced auditors is here to guide you through the certification process and ensure the security and resilience of your organization’s information assets.

At A-LIGN, we are committed to helping our clients achieve their certification goals and maintain the highest standards of information security. With our expanded certification services and expertise in ISO/IEC 27001:2022, we look forward to assisting organizations in their journey towards a more secure future.

Get started by downloading our ISO 27001 checklist.

The Key Differences Between FISMA and FedRAMP

by: A-LIGN 19 Jun,2023 3 min

When pursuing federal clients or servicing existing ones, there are unique compliance needs due to the sensitivity of government information. Many standards (such as FedRAMP) and laws (like FISMA) exist to create consistent security standards for organizations seeking federal agency clientele.  

Sometimes these standards have similar frameworks, putting organizations in a position where they need guidance on which certification to pursue. For instance, FISMA and FedRAMP often appear early in an organization’s compliance journey — but the two aren’t interchangeable.  

In this blog, we’ll clarify: 

  • What is FISMA? 
  • What is FedRAMP? 
  • The differences between FISMA vs FedRAMP 
  • How to choose between FISMA vs FedRAMP 

What is FISMA?  

FISMA refers to the Federal Information Security Modernization Act of 2014. First issued in 2002, FISMA was amended in 2014 to modernize federal security practices, addressing evolving security concerns as technology progressed.  

FISMA is not a standard: it is a United States federal law requiring federal agencies to develop, document, and implement an agency-wide program to provide information security for the information and systems that support the operations and assets of the agency, including those provided or managed by another agency, contractor, or other sources.  

The Risk Management Framework (RMF) is a key element of FISMA, as it brings together all the FISMA-related security standards and guidance to promote the development of comprehensive and balanced information security programs by agencies.   

Together, FISMA and RMF outline the cybersecurity standard for all companies that are seeking federal contracts and an ATO from government agencies. FISMA establishes the standards and requirements of an ​​agency’s cybersecurity program, and RMF is how that program is implemented to meet those standards and requirements.  

What is FedRAMP? 

FedRAMP, or Federal Risk and Authorization Management Program, is a government program that provides a standardized approach to security assessment, authorization, and continuous monitoring specifically for cloud products and services used by federal agencies to store, process, and transmit federal information.  

Its main objective is to provide federal departments and agencies with a cost-effective and risk-based approach to cloud adoption. The creation of FedRAMP allowed cloud service providers (CSPs) to be assessed and authorized by federal agencies.   

Understanding the Differences Between FISMA and FedRAMP  

The main differences between FISMA and FedRAMP include: 

  • The type of ATO that is granted (one-to-one vs. “do once, use many”) 
  • Who each is relevant for (FedRAMP is specifically for cloud service providers) 
  • The pathways to authorization 

When becoming FISMA compliant, organizations are awarded an RMF ATO from the specific federal agency with which the organization is working, which is considered a one-to-one process. A one-to-one process means that each agency that an organization is seeking authorization from will have different requirements because of the unique needs that an agency may have. As a result, multiple ATOs from multiple agencies must be maintained in order to keep those federal contracts. Thus, each authorization is done one at a time. 

When becoming FedRAMP authorized, organizations are awarded an ATO that can be leveraged by any federal agency, which supports a “do once, use many” framework that provides a streamlined process for cloud service providers (CSPs). FedRAMP can be more rigorous because it is intended to be used by any agency.  

In addition, FedRAMP is specifically designed with the needs of CSPs in mind, making it the appropriate assessment for cloud providers.  

Under FedRAMP, organizations pursue one of two authorization pathways. They either pursue a provisional authorization to operate, or P-ATO, through the Joint Authorization Board (JAB) or a FedRAMP Authorization via a direct Agency sponsorship. Either path requires a 3PAO, or third-party assessment organization, to determine that the provider can demonstrate that the cloud services meet the baseline controls in FedRAMP. Once the 3PAO assesses and reviews the documentation, the results are submitted for FedRAMP review and approval, at which time, an organization is awarded a P-ATO or ATO, depending on the authorization pathway chosen. 

Choosing Between FISMA and FedRAMP 

When it comes to choosing between FISMA and FedRAMP, the decision ultimately lies with the organization itself.  

Many times, client specifications will determine which standard an organization chooses to pursue. If your company’s offering is a cloud-based solution, then FedRAMP is typically required, otherwise the compliance framework is typically determined by your federal client requirements. 

Both RMF and FedRAMP fulfill the FISMA mandates and aim to protect sensitive government data from cybersecurity threats, and both follow the controls set within NIST SP 800-53.  

Regardless of the assessment that is right for your organization, the NIST guidelines allow organizations to use cloud services with increased security and efficiency.  

Becoming FISMA Compliant 

Whether it’s pursuing a RMF ATO or a FedRAMP ATO, Federal agencies base their security controls baselines on NIST SP 800-53, in addition to agency-specific cybersecurity requirements. 

A-LIGN is an expert in federal compliance and a top FedRAMP assessor. As an accredited 3PAO, A-LIGN can help organizations navigate the process of complying with multiple audits and gaining multiple authorizations at the same time. 

Contact the A-LIGN team today to discuss the benefits of FISMA or FedRAMP for your organization. 

HITRUST Integration With SOC 2

by: A-LIGN 18 May,2023 4 min

Are you looking to strengthen your organization’s cybersecurity measures and demonstrate your commitment to protecting sensitive information? Understanding the relationship between SOC 2 and HITRUST can be instrumental in achieving these goals. SOC 2 and HITRUST are two widely recognized frameworks that provide comprehensive guidelines for managing security controls and ensuring the confidentiality, integrity, and availability of sensitive data. While each framework has its own unique focus and requirements, they are not mutually exclusive. In fact, they complement each other in many ways, allowing organizations to simultaneously complete both assessments and reap benefits from both. 

 In this blog post, we will explore the synergies between SOC 2 and HITRUST and how leveraging both frameworks can enhance your organization’s cybersecurity posture and instill confidence in your stakeholders. 

Types of HITRUST Assessments

HITRUST has two methods to approach complying with the HITRUST CSF with each providing their own unique benefits, depending on the needs of an organization. They include the Self-Assessment, and a Validated Assessment, which leads to HITRUST certification. They each function on varying degrees of assurance based on the cost, effort-level, and time required. The benefits of any type of HITRUST CSF Assessment include:

  • Scalability for organizations of any size
  • Allows for organizations to understand their current level of compliance with the CSF and areas of general risk

HITRUST Self-Assessment

The HITRUST MyCSF is designed to be completed by an organization in order to minimize time and resources when demonstrating compliance with the CSF. The self-assessment can also be used as a stepping stone to a validated assessment. The benefits include:

  • Low to medium level of effort needed to complete
  • Can be quickly completed

However, one of the disadvantages of completing a self-assessment report is that it provides the lowest level of assurance, as no validation comes from the self-assessment: it simply results in a HITRUST issued CSF Self-Assessment report.

Validated Assessment

A Validated Assessment is a more rigorous assessment process, with an increase in assurance level performed by a CSF assessor firm to validate the information gathered by the organization. One of the benefits of receiving a CSF validated assessment includes providing an increased assurance level to the relying entity.

The process is more rigorous due to on site testing at the entity to be performed by an authorized CSF assessor. A validated assessment requires a medium to high level of effort for completion, due to the on-site time and rigorous testing procedures. Upon completion, HITRUST reviews the complete assessment and issues a Validated Report as the outcome if the organization has failed to receive a rating of 3 or higher on any of the controls.

Certified Assessment

While an organization goes through the same audit-process when receiving either a validated assessment or a certified assessment, becoming HITRUST certified means that the organization received at least a 3 on HITRUST’s scale and has shown a high-level of maturity.

The benefits of receiving a CSF certified assessment include:

  • The report is good for 2 years, with an interim assessment completed at the one-year mark.
  • Provides the most complete assurance level certified by HITRUST. The organization that receives a certified assessment must meet all of the certification requirements of the CSF.

A certified assessment is only earned once an organization successfully demonstrates that they are able to meet all of the controls in the CSF required for certification at the appropriate level based on organizational needs.

SOC 2 and HITRUST

What is SOC 2?

SOC 2 reports describe the internal controls at a service organization, based on the AICPA’s Trust Principles:

  • Common Criteria (Security)
  • Availability
  • Processing Integrity
  • Confidentiality
  • Privacy

SOC 2 reports provide users with management assertions, a description of both the system and the controls, tests and the results of the tests, and the independent service auditor’s report.  The SOC 2 is widely used by service organizations that provide services to other business entities.

HITRUST and the American Institute of Certified Public Accountants (AICPA) have developed a collaborative approach that aligns the AICPA’s Trust Principles with the HITRUST CSF criteria.  This allows licensed CPA firms, who are also CSF assessor firms to issue a SOC 2 plus HITRUST report that includes both the SOC 2 criteria and HITRUST CSF.  This makes HITRUST and SOC 2 complementary services through this converged reporting model. The benefits for your organization include:

  • Save time
  • Save on costs
  • Gain efficiency
  • Increase your client satisfaction

This streamlining process allows organizations to simplify the process of leveraging their HITRUST CSF for SOC 2 reporting.

Download our HITRUST checklist now!

Cybersecurity tactics and best practices constantly evolve as new threats emerge. And it doesn’t matter how great your security is if third-party vendors aren’t as prepared.

This is why The HITRUST CSF exists — to establish standards dedicated to protecting sensitive information.

HITRUST is a standards organization focused on security, privacy and risk management. HITRUST CSF was developed to provide healthcare organizations with a comprehensive security and privacy program.

Though it’s been historically targeted toward organizations in the healthcare industry, the HITRUST CSF has been gaining traction in other sectors. With malicious attacks on the rise, companies across all industries should consider adopting the HITRUST CSF to minimize risk exposure.

HITRUST was founded in 2007 to make information security a focus of the healthcare industry. This standard gives customers confidence in knowing their data and confidential information are secure. 

Many healthcare organizations are required to maintain HIPAA compliance. HIPAA, or the Healthcare Insurance Portability and Accountability Act, is a U.S. law that establishes a set of safeguards that covered entities must follow to protect health information.  

However, there is no official way to measure HIPAA compliance. The HITRUST CSF provides a list of prescriptive controls or requirements that can demonstrate compliance, making the CSF a certifiable security and privacy framework. Therefore, it was an essential complement to HIPAA compliance for healthcare organizations.

Why Other Industries Should Adopt the HITRUST CSF

In 2019, HITRUST made the CSF industry agnostic. This made it possible for organizations in any industry to pursue the certification — although many organizations are unaware of the benefits HITRUST Certification can provide their teams.   

HITRUST Certification is not mandated by law. Still, the HITRUST CSF is considered the most comprehensive cybersecurity and privacy framework because of the way it maps to over 40 other security and privacy standards, including HIPAA, SOC 2, NIST SP 800-53 and ISO 27001, just to name a few.

The HITRUST CSF allows organizations to combine several assessments and standards into one framework. Organizations decide what regulatory factors they want to include in their assessment based on the level of risk and the regulatory requirements.

By taking an “assess once, report many” approach, assessors can perform several different audits while the organization feels like they’re only undergoing one — saving time, money, and resources.

Key Industries that Could Benefit from HITRUST Adoption

Even though most industries will benefit from adopting the HITRUST CSF, several industries could reap more significant rewards while using this framework.

Hospitality

Hotels, lodging facilities, and travel booking sites are at an increased risk of virtual attacks, such as the Marriott data breach that occurred in mid-2022.

That’s why major players in the industry now require strict adherence to security and privacy best practices. Sabre, for example, is the largest technology platform for booking and payment applications in the hospitality industry. In 2019, Sabre began requiring its vendors to provide a HITRUST CSF Assessment, as the company wanted a way for its vendors to demonstrate the effectiveness of their information privacy and security controls.

Suppose hospitality organizations want to keep using Sabre as their primary booking and payment application. In that case, the organizations must undergo a HITRUST CSF Assessment to ensure they are safely managing customer data.

Utilities

Strong security is essential for utility companies. The nation’s critical infrastructure system could crumble without stable access to necessities like water and electricity.

With critical infrastructure coming under increased attacks, as seen with Russia’s attacks on Ukraine’s electrical grid, many nations worldwide are focusing on protecting vital resources. To help mitigate the risk of an attack, organizations need to take a proactive approach to cybersecurity, such as adopting a framework like the HITRUST CSF.

Organizations with International Customers

While not technically an industry of its own, organizations with a large number of international customers will benefit from the adoption of the HITRUST CSF.

In 2018, the EU adopted the General Data Protection Regulation (GDPR) to protect the private information of those in the European Union. However, similar to the case with HIPAA, there is no official way to measure GDPR compliance.

Adding GDPR to a HITRUST assessment is a great approach for addressing the questions and concerns clients may have about your organization’s GDPR compliance.

The Singapore Personal Data Protection Act shares many similarities with GDPR, although this international regulation only applies to Singapore. Along the same vein, the Brazilian General Data Protection Law (LGPD) has also gained popularity in recent years, once again demonstrating how many privacy laws have been adopted worldwide.

With no formal certification process for many of these new regulations, organizations that are currently doing business or are looking to do business overseas should add additional regulations to their HITRUST assessment to better demonstrate data safety.

Get Started with HITRUST

Organizations across all industries need to ensure they can protect any data that might be shared. One of the best ways to do this is by achieving HITRUST Certification.

The HITRUST CSF Certification draws from multiple well-known, pre-existing frameworks to provide a complete, certifiable security and privacy standard. With the foundation already set, many see that their HITRUST Certification simplifies the process of satisfying other requirements. 

With more than 400 successful HITRUST Assessments completed, A-LIGN’s team of HITRUST experts is here to answer any questions and walk you through the entire certification process.

Interested in learning more about HITRUST CSF?  Complete the form below and one of our cybersecurity and compliance professionals will reach out within 24 hours. 

Download our HITRUST checklist now!

A-LIGN + A-SCEND = The Complete Solution

Organizations are strapped for time and working with limited resources. That’s why many have turned to compliance automation software to streamline processes. 

But software vendors are only one type of compliance vendor you’ll encounter in the market, and they can’t solve all of your compliance needs. Generally speaking, you can classify compliance vendors into three categories: 

  • Compliance Software Vendors: Vendors that offer software products to assist with aspects of cybersecurity and compliance audits (such as evidence collection and review).  
  • Auditors: Experts licensed or approved by certification/authorization bodies to assess an organization’s capabilities against the certification’s standards and practices. Some auditors focus on specialized industries or types of audits, while other larger audit companies provide a suite of services.   

Technology-Enabled Auditors: These providers (like A-LIGN) offer the best of both worlds — certified experts who can complete audits and issue final reports, and proprietary technology to automate and streamline the audit process.  

Selecting the wrong partner for your needs can strap you with hidden costs, lead to reputational damage, and create inefficiencies as your business and cybersecurity posture mature. 

To find the best compliance partner, ask these three questions before you sign a contract.

1. Can the vendor produce reports/certifications?

There’s a common misconception in the world of compliance — software is all I need. While audit software can help streamline audit processes and evidence collection, technology providers cannot provide the actual audits or grant certifications themselves. 

Compliance certifications require specialized assessors trained to evaluate a company against specific standards (see definition of “auditors” above). 

For example, only Third Party Assessment Organizations (3PAOs) grant FedRAMP Authorization, and only accredited ISO certification bodies assess ISO Certification. Similarly, the American Institute of Certified Public Accountants (AICPA) regulates SOC 2 assessments. An external auditor from a licensed CPA firm must complete these examinations. 

If you sign on to use a compliance software solution alone, you risk incurring additional costs when it’s time to call in an auditor. This can also lead to a lack of efficiency and an extended project timeline. Instead, the best thing to do is to work with an audit firm that also offers compliance software to streamline processes and assist with data collection.  

2. What is the compliance vendor’s suite of services?

There are a lot of cybersecurity certifications and audits out there — for different types of companies, industries, and more. As your company grows, you may be required to complete more audits and certifications than you originally planned for. 

For example, you may be focused on SOC 2 right now. But, if you want to expand your business into the Federal government in a few years, you will need FedRAMP Authorization. As you continue to grow your business, services, and tech stack, you also may want to start completing regular penetration tests to check up on your systems and processes.  

Select a vendor with your future in mind. It’s helpful to build a relationship with a compliance vendor who can scale with you. Switching vendors for individual audits can lead to a lack of efficiency, as you’ll have to re-do the extensive evidence collection and systems documentation processes. 

3. Is this a credible compliance vendor?  

Cybersecurity audits and certifications are a great way to gain the trust of potential customers and investors. Just like how organizations go through the audit process, auditors go through an audit process themselves. Auditors must be trained and assessed in their ability to evaluate companies properly against industry standards.  

With that in mind, you’ll want to select an auditor with a track record of success and longstanding relationships with certification and authorization bodies like ISO, HITRUST, and the AICPA, among others. Otherwise, you risk working with an auditor who loses their status — and the reputational damage that may trickle down to you as a result. Opting for a traditional software compliance vendor leaves you most vulnerable to this scenario, as they may choose your auditor for you.  

Complete Compliance with A-LIGN 

A-LIGN is a technology-enabled security and compliance partner that can assist with various audits, reports, and certifications. 

A-LIGN’s services include: 

  • Leading cybersecurity certifications like ISO 27001 or SOC 2 attestation  
  • Industry-specific certifications like FedRAMP, StateRAMP, PCI DSS, HITRUST, HIPAA, and more 
  • Cybersecurity services like Ransomware Assessments and Penetration Testing 
  • Assessments for compliance against privacy laws like GDPR  

Our A-SCEND technology complements the expertise of our auditors by streamlining extensive evidence-collection processes and storing information in a single system of record that can be used across multiple audits and certifications.  

Economic pressures force security, governance, risk, and compliance leaders to do more with less. CISOs are especially vulnerable, as it can be hard to cut corners where data security is concerned.  

By 2023, 30% of a CISO’s effectiveness will be directly measured on the ability to create value for the business. This means that even though security remains a top concern, CISOs will also face growing accountability for the financial success of the organizations they represent.  

To proactively prepare for future changes, A-LIGN has identified three areas for CISOs to concentrate when reducing budgets and helping their organizations generate ROI.   

1. Utilize Technology 

Becoming compliant is necessary to keep clients and win new business but it can be expensive and time consuming if done without technology streamlining the process. Organizations can utilize compliance technology to mitigate the impact of personnel shortages, time-related constraints, and reduction in resources.  

Compliance technology automates many manual tasks from audit processes, such as simplifying readiness assessments and deduplicating audits and evidence collection.  

A-SCEND is A-LIGN’s award-winning compliance automation software. A-SCEND allows teams of all sizes to gain instant visibility into their compliance standing, create policies, and manage evidence in one centralized platform. From automated evidence collection to continuous monitoring, A-SCEND is the end-to-end solution that bridges the gap between auditor experience and technology. 

Beware of the Limitations of Technology

Popular thought is that by enabling integrations into a cloud platform, an organization can become effectively hands-off in its approach to assuring compliance. While this idea may seem like a solution, several influences quickly highlight how cost-ineffective this route can be.  

Only a few of the available integrations consider the nuance of scoping. An organization might have the ability to pull data from its cloud service provider (CSP) quickly. However, a human must evaluate if that evidence applies to the assessment at hand. 

For example, pulling a population of users from an HR system might ease a burden on your HR team, but what if you deliver the wrong list of users? When the concern is providing more than the (minimum) necessary for an assessment, unmanaged integrations are a significant risk. 

Even if your organization adopts compliance technologies, CISOs and Compliance Officers should ensure their team stays actively engaged with the audit processes. 

2. Consolidate Vendors

Audit and compliance automation platforms are not the same as accredited auditors or assessors. This means organizations must still contract with and build relationships with one or many audit firms depending on the attestations and certifications they carry.  

It is common to see third-party compliance firms specializing in delivering either SOC, ISO, PCI, or HITRUST assessment and validation. However, when consolidation is key, many companies make uninformed decisions that increase their workload (and budget). Think of it like choosing to contract with a different cell provider for every cell phone in your home — you quickly realize how little sense it makes. 

Coordination, variety of opinions, and variations in quality and performance all become genuine risks when engaging with multiple assessor firms. Applicability of collected evidence is also a concern. Automation integrations pull some data from cloud platforms, the auditors must determine if that data is necessary to meet their evaluation.  

Audit firms must ensure they collect sufficient data to support the opinion they issue. If opinions vary, the burden to provide satisfactory evidence will always remain an obligation of the assessed entity — which can put organizations in a challenging position.  

3. Don’t Delay Cybersecurity Compliance Certifications

With an uncertain economy, it is easy to understand why some organizations may consider delaying the pursuit of compliance certifications. However, many prospective clients will value your organization’s additional protections to ensure their data remains protected, especially if the client sees an organization’s process is validated by a trusted, independent auditor.      

In particular, SOC 2 and ISO 27001 are two of the most effective cybersecurity frameworks. 

Organizations should proactively complete a SOC 2 audit before a customer requests a final report. This will set you apart from your competition and help you to win new business. 

Additionally, some authorizations, like FedRAMP, require yearly re-assessments. Organizations should seek re-authorization to remain competitive and retain current customers. 

Keep Compliance as a Top Priority

While budget reductions may be coming, CISOs do not need to sacrifice information security. Adopting compliance technology and consolidating vendors can minimize downtime and save money. Additionally, pursuing relevant certifications can attract new clients and increase your business revenue. 

A-LIGN is well-versed in meeting the requirements of a broad range of compliance standards and security frameworks, including SOC 2, PCI DSS, ISO 27001, GDPR, FISMA, FedRAMP, and NIST-based frameworks. Our advisors and auditors can partner with your organization to help you meet all compliance needs, even during times of financial uncertainty.  

Keep forward on your path to success. Begin your compliance journey with A-LIGN today.  

Created in 2020, StateRAMP provides a standardized approach to cybersecurity for cloud vendors working with state and local governments. StateRAMP authorization is required for any organization that wishes to do business with state and local governments. 

If you are seeking StateRAMP authorization, here is a look at the step-by-step process you’ll need to complete with A-LIGN: 

  • Step 1: Pre-Assessment Review 
  • Step 2: Planning Activities 
  • Step 3: Assessment Activities 
  • Step 4: Reporting Activities 
  • Step 5: Earning Authorization

Look familiar? This is very similar to the process for FedRAMP authorization.  

Before You Begin

Before the assessment process gets underway, you’ll need to complete a few initial tasks to help your organization prepare: 

  • Research
  • Obtain a Sponsor (optional)
  • Find a Third Party Assessment Organization (3PAO)
  • Complete a Readiness Assessment (optional)

Research

It’s always good to gain a baseline understanding of StateRAMP and the assessment process before diving into it. Here is some recommended reading to help you begin your research: 

Leverage a Sponsor or the Approvals Committee

Sponsors are individuals or agencies responsible for reviewing a security package and approving StateRAMP Authorized status. Sponsors are the state agency or organization that will eventually be using the cloud product. 

Providers looking to achieve StateRAMP Authorization may choose to leverage a sponsor OR use StateRAMP’s Approvals Committee instead. Either route is acceptable and there is no difference (beyond some minor administrative changes) in the authorization process.  

Find a Third Party Assessment Organization (3PAO)

StateRAMP assessments must be completed by a 3PAO, an organization that has gained special authorization to conduct assessments on behalf of the StateRAMP program.  Any FedRAMP 3PAO is eligible to conduct the assessments but must register with StateRAMP. 

A-LIGN is a StateRAMP-registered assessor and accredited FedRAMP 3PAO. We have a longstanding relationship with FedRAMP and StateRAMP, and served as advisors on how best to adapt the FedRAMP framework into StateRAMP when the program was first created. We also currently serve on the Steering Committee and the Appeals Committee. 

Complete a Readiness Assessment 

Prior to undergoing a StateRAMP assessment you may want to perform a StateRAMP Readiness Assessment and get a Readiness Assessment Report (RAR). During this assessment, a 3PAO looks at your environment to determine if it is technically capable of meeting the StateRAMP requirements. 

A readiness assessment can help identify gaps in controls prior to the official 3PAO assessment — which ultimately will save you time and money in the official audit process. After the assessment, organizations can qualify for StateRAMP Ready status, which designates your organization as one that is qualified to achieve StateRAMP authorization and is in process.  

A-LIGN can provide you with both a readiness assessment, as well as an official assessment for StateRAMP authorization. 

Step 1: Pre-Assessment Review (1-4 Weeks) 

If you have already completed a readiness assessment with A-LIGN and received a StateRAMP Readiness Assessment Report, we will skip this step and move immediately to Step 2 in the process.  

Once you are ready for an official assessment and have signed a contract with A-LIGN, we’ll begin with a pre-assessment review phase.  

During this phase, our team will compare your current environment against the StateRAMP requirements to determine any known issues or gaps that need to be remediated before the official assessment.  

Keep in mind that the quality of the evaluation is dependent on the accuracy and volume of information you provide to us. The more you can provide, the better. Once the review is complete, we will meet with your team to review the findings and outline the next steps.  

Step 2: Planning Activities (4 Weeks)

After the Pre-Assessment Review phase, you will need to submit responses to an initial Information Request List (IRL) that A-LIGN provides you with.  

While you are working on the IRL responses, we will submit a few materials to your sponsor to review. These include: 

  • An Authority to Test (ATT) – This is part of our penetration (pen) test planning and is only required if the system being reviewed is classified as StateRAMP Moderate impact level. Low and Low+ impact levels do not require pen tests under current guidance from StateRAMP. 
  • A Security Assessment Plan (SAP). 

Step 3: Assessment Activities (7 weeks) 

During the assessment phase, we will conduct on-site fieldwork (team interviews) and remote fieldwork (evidence review).  

Keep in mind that we do not begin our evidence review until at least 90% of the IRL evidence is provided by your team. Any delays in evidence collection will result in delays in our review timeline. It’s important to plan ahead so we can stay on schedule throughout the assessment process.  

We will also conduct a pen test at this time. Again, this is only a requirement for StateRAMP Moderate. It is an optional step for Low and Low+. Although it is optional, we highly recommend undergoing this step as a safety net to eliminate any surprises we may encounter during the actual testing phase. 

Once we conduct the penetration test and get through a majority of the evidence review, we’ll provide your team with a draft of a risk exposure table. Your team can then review the draft and create a plan of action and milestones to remediate any initial issues that were found.  

Step 4: Reporting Activities (5 weeks)

Upon completion of our full evidence review and pen test, we will provide you with a draft Security Assessment Report (the next iteration of the initial risk exposure table) and pen test report for review. We will analyze and discuss the findings with your team before drafting a final report for you.  

Once the final report is complete, it will be sent to StateRAMP. 

Step 5: Earning Authorization (2-3 weeks)

The security package is then reviewed by the security professionals at StateRAMP’s Program Management Office (PMO). The PMO will verify the security status of your organization and grant you:

StateRAMP Authorized Status: A status that indicates the product or offering has: 

  • A government sponsor 
  • Meets all the required NIST controls by impact level  
  • Has completed the necessary documentation, including a 3PAO Security Assessment Report 

StateRAMP Provisional Status: A status that indicates the product or offering has: 

  • Met the minimum requirements and MOST critical controls, but not all 
  • Providers listed as provisional may continue to work toward authorized status  

All authorized providers will be listed on the publicly-available Authorized Vendor List (AVL) on stateramp.org, which includes information about the service providers’ products, including impact level, provider type, and security status. The PMO maintains responsibility for continuously monitoring providers listed on the StateRAMP Authorized Vendor List (AVL). 

Get Started Today

For any organization looking to work with state and local government entities, StateRAMP authorization is essential. With careful planning, a solid 3PAO partner, and an understanding of the process and associated timeline, you can streamline efforts to achieve StateRAMP authorization.   

For more information about the StateRAMP process, contact A-LIGN today

Since its creation in 2011, the Federal Risk and Authorization Management Program (FedRAMP) has provided a standardized government-wide approach to assessing the security of cloud computing services. 

However, due to government agencies’ increased adoption of cloud technologies and a rise in cybersecurity attacks, many organizations and agencies have called for an updated version of FedRAMP to address their mounting cybersecurity concerns. 

In late December 2022, the President signed H.R. 7776, the “James M. Inhofe National Defense Authorization Act for Fiscal Year 2023,” into law, which includes the FedRAMP Authorization Act. The official FedRAMP Authorization Act document is nearly 30 pages long and details the proposed changes to the FedRAMP program.  

This blog will discuss everything you need to know about the FedRAMP Authorization Act, along with what the changes mean for organizations.  

1. Codifies secure market expansion into law 

The passing of the FedRAMP Authorization Act codifies the FedRAMP program as the authoritative standardized approach to security assessment and authorization for cloud computing products and services that process unclassified federal information. By codifying the FedRAMP Authorization Act into law, FedRAMP will now receive Congressional oversight. With this oversight comes better insight into the cost burdens of FedRAMP Authorization for SMBs

Currently, the FedRAMP Authorization process is quite costly. Organizations that obtain authorization must undergo annual reassessments to retain their authorized status, only furthering the financial strain. The new FedRAMP Authorization Act aims to discover where and how they can alleviate these cost constraints. 

In addition to the above changes, the United States Office of Management and Budget and General Services Administration/FedRAMP Project Management Office will be required to produce and submit reports for Congressional review. These reports will document the metrics and performance standards of the FedRAMP program.  

2. Allows agencies to certify vendors more easily 

One of the FedRAMP Authorization Act’s most important features focuses on reciprocity. Reciprocity gives Cloud Service Providers (CSPs) the ability to authorize and then re-use their already-certified FedRAMP status across other agencies.  

Put simply, this “presumption of adequacy” clause, as it is called in the official documentation, allows FedRAMP-authorized tools to be used by any federal agency without further checks. Formalizing a “presumption of adequacy” for government contractors makes it easier for organizations to certify vendors, opening the door for organizations to get easier access to more cyber-secure services.  

3. Establishes a secure cloud advisory committee 

Additionally, the Federal government seeks to provide more transparency and increased dialogue between themselves and industries. The government wants to drive stronger adoption of secure cloud capabilities and reduce legacy information technology. 

To achieve this goal, the FedRAMP Authorization Act calls for the creation of a Secure Cloud Advisory Committee.  

The committee will consist of 15 members, including five representatives from cloud services companies. Two of the five representatives must come from small cloud vendors. The committee will also contain one representative each from the Cybersecurity and Infrastructure Security Agency and the National Institute of Standards and Technology. Two serving chief information officers from Federal government agencies would also sit on the committee. 

Secure Cloud Advisory Committee members will work alongside the existing FedRAMP Joint Authorization Board to streamline selection and assessment processes. The two groups will uncover solutions to shorten the time to gain the authority to operate (ATO) and to update the framework over time.  

What does the FedRAMP Authorization Act mean for my organization?  

As of now, there are no immediate changes  to make in regard to obtaining FedRAMP Authorization

But, we do suggest organizations should take advantage of the benefits of the FedRAMP Authorization Act. The Act has made it easier for commercial cloud and software providers to access multiple agencies across the federal marketplace. 

This may provide a valuable opportunity to expand your organization’s work in the public sector — a highly profitable industry. 

Get started with FedRAMP today 

The FedRAMP Authorization Act will remove some of the current FedRAMP authorization bottlenecks and will make it easier for agencies to source FedRAMP ATO providers. For organizations who still need to obtain FedRAMP authorization, now is the perfect time to dive in. 

A-LIGN is one of the top FedRAMP assessors in the world, with a 96% satisfaction rating from our customers. Our experts can help you through every step of the process — from a readiness assessment to final authorization.

Contact A-LIGN today to learn more about our FedRAMP services.