The world of compliance is one of numerous assessments and certifications, each varying in scope and effort depending on the industry they serve and the level of security. Figuring out which one is right for your organization can effectively and efficiently bolster your security posture and improve your competitive edge.  

On the flip side, spending time and effort on the wrong assessment can unnecessarily exhaust your organization’s resources.  

Between SOC 2, ISO 27001, PCI DSS, Federal compliance, HIPAA, and HITRUST, there are numerous factors to consider, such as timelines and organizational benefits. To help you make the right decision when choosing your next compliance initiative, our compliance experts put together a quick guide of the most common assessments, including their scope, timeline, and potential prerequisites.  

This article draws from the compliance Crosswalk Podcast, where A-LIGN’s practice leads for multiple compliance service lines shared their thoughts on which compliance assessments might be right for organizations of various types. They discuss the specifics in each of their areas including timelines, prerequisites, and common misconceptions, as well as how to identify which compliance assessments will best suit your organization’s needs.

ISO 

What is ISO 27001/27701? 

ISO is an international standard that helps organizations manage the security of information assets. It provides a management framework for implementing an Information Security Management System (ISMS). ISO is meant to ensure the confidentiality, integrity, and availability of all data that passes through the company. ISO 27701 is an additional assessment that can be added to ISO 27001 focusing on Privacy.  

Who is ISO 27001 for? 

ISO certification is excellent for any organization that is interested in doing business internationally. In addition, as a risk-driven standard, ISO 27001 is an excellent assessment for any organization focused on the confidentiality, integrity and availability of the data in your environment.  

What prerequisites are there to complete an ISO 27001/27701? 

Both ISO 27001 and 27701 have little-to-no barriers to entry. The standard itself is very similar whether you’re a small business or a large company. Aside from initial project scoping, there are no prerequisites. 

How long does it take to complete an ISO 27001/27701? 

ISO 27001 can take three to four months from start to finish and varies by organization since it isn’t’ a checkbox audit, but rather a discussion-based audit. The process is broken up into two stages.  

The first stage on average takes around six weeks and includes a review of your company’s documentation to confirm it follows the ISO 27001 standard.  

Stage two can take four to eight months depending on the size of your organization and consists of interviews, an inspection of documented evidence, and process observation aimed at testing these controls and confirming your organization’s compliance. Following stage two is a round of remediations, which may vary in time depending on your specific audit.  

Why ISO 27001/27701 valuable to your organization? 

Being an international standard means your ISO Certification will be recognized by organizations throughout multiple markets outside around the world. You don’t need to have international operations to obtain this certification, making obtaining an ISO certification a great way to enter new markets.  

PCI DSS 

What is PCI DSS? 

PCI DSS (Payment Card Industry Data Security Standard) is a widely accepted Industry enforced and run standard consisting of a set of policies and procedures intended for organizations that handle credit, debit, and cash card transactions to ensure the protection of cardholders’ personal information. 

Who is PCI DSS for? 

PCI DSS is for companies that handle sensitive credit card data. PCI DSS can also apply to companies that provide services within Card Data Environments (CDE). If you affect the security of a CDE or a client CDE, then you can be brought into scope for a PCI DSS assessment.  

How long does it take to complete a PCI DSS assessment?  

The preparation phase can take about six to eight months for those undergoing the assessment for the first time, and around three to four months on average for a renewal assessment. The amount of time it takes to complete the assessment ultimately varies depending on the organization’s environment, what its processes are, and what its infrastructure looks like.  

Entities that are very large are continuously prepping. As soon as one audit ends, they’re prepping for the next year, making PCI DSS a continual process for them. Whereas smaller entities may have less of a lift to continually maintain those processes. 

Why is PCI DSS valuable to your organization?  

Obtaining a PCI DSS Report on Compliance (ROC) and Attestation of Compliance (AOC) demonstrates your organization’s commitment to payment card data security and identifies the level of validation you have achieved. Failing to maintain PCI DSS compliance can range in fines from $5,000 to $100,000 per month depending on the size of the company and the scope of noncompliance. 

Penetration Testing & Vulnerability Scans 

What is Penetration Testing & Vulnerability Scans? 

Vulnerability Scans are automated exercises that identify known vulnerabilities in your network devices, hosts, and systems. These scans offer a quick snapshot of potential weak points in an organization that an attacker could potentially leverage in an attack. There are multiple types of Vulnerability Scans including Quick, Full, and Compliance scans. These scans can also be performed at a point in time or single, monthly or quarterly. 

Penetration Tests are manual exercises that evaluate the effectiveness of your organization’s cyber defenses by attempting to exploit discoverable vulnerabilities utilizing the same tools and techniques hackers use. Pen Tests can include mobile and web apps, networks, wireless, and social engineering (phishing email, vishing phone, physical entry). These assessments are often used as part of SOC 2, PCI DSS, FedRAMP, and more.  

Why is a Penetration Test valuable to your organization?  

Both a penetration test and a vulnerability scans are with compliance frameworks such as SOC 2 or PCI DSS in mind. If you’re undergoing a compliance audit, there’s a high chance that you need a pen test. Even if you’re not completing an audit, a pen test is a very important exercise to perform as it allows you to better understand what your potential threat surface may be. A penetration test will also help identify frameworks and components in use across the organization that may be outdated, such as third-party libraries in mobile and web applications. This can help organizations stay up to date and shift to new frameworks and libraries with long-term support. Results from a penetration test can be used to understand if an organization has effective detection capabilities across systems and hosts, and where gaps may exist. 

HITRUST 

What is HITRUST? 

HITRUST Alliance is a private company founded in 2007 that offers the HITRUST CSF. By pulling from major pre-existing frameworks, and working with organizations to better understand their needs, HITRUST provides a complete, certifiable security and privacy standard. This standard gives customers confidence that their data and confidential information is secure. 

Who is HITRUST for? 

HITRUST CSF is a security framework that provides a comprehensive approach to HIPAA compliance and enables organizations to cover both security and compliance components of HIPAA and is tailored to the requirements of their specific industry.  For these reasons, many healthcare organizations and those working with healthcare companies undergo a HITRUST certification. Since HITRUST is based on many pre-existing frameworks, some organizations outside of the healthcare industry also find HITRUST as a helpful assessment to ensure they are meeting security and privacy standards. 

How long does a HITRUST Assessment take? 

HITRUST typically takes six to eighteen months, depending on the scope of the project and the preparation required. 

Why is HITRUST valuable for your organization? 

Achieving HITRUST Certification satisfies regulatory requirements mandated by third-party organizations and laws, in addition to helping your organization differentiate from the competition, resulting in increased revenue and market growth. In addition to the added revenue, HITRUST Certification saves time and money by leveraging a solid and scalable framework that includes multiple regulatory standards. 

SOC 

What’s the Difference Between SOC 1, SOC2, & SOC 3? 

SOC stands for System and Organization Controls and is one of the most sought-after security assessments in the US market. The American Institute of Certified Public Accountants (AICPA) organization is the governing body of the SOC framework. There are three kinds of SOC assessments: SOC 1, SOC 2, and SOC 3. 

SOC 1 assesses your organization’s controls that have the ability to impact the financial statements of your end users. This includes business process controls based on the organization’s services, as well as information technology general controls that support the overall security of the system. 

 A SOC 2 audit examines your organization’s controls that are in place to protect and secure it’s the system and services used by customers or partners. The security posture of your organization is assessed based on the requirements within a SOC 2 examination, known as the Trust Services Criteria (TSC).   

A SOC 3 is a general-use version of a SOC 2. A SOC 2 may contain sensitive details about an organization’s system, including details about your people, processes, and technology that should not be shared with the general public. Obtaining a SOC 3 allows you to share your report without any sensitive information included. 

Who is SOC for? 

SOC 1: Because a SOC 1 deals with organizations that provide services that can impact the financial statements of their user entities or their clients, not all organizations need a SOC 1 but anyone who wants one can typically get one. 

SOC 2: Any organization that can affect another company’s information security can and is encouraged to obtain a SOC 2 report. This makes it the most common compliance assessment in the United States and is gaining traction in other markets around the world. 

Why SOC 2 is valuable to your organization? 

SOC 2 has become the unofficial baseline for security compliance in the United States. Having a SOC 2 report enables your organization to demonstrate its dedication to security, builds trust with current and future customers, and opens up an array of business opportunities.   

Federal  

What is Federal Compliance?  

The Federal Information Security Modernization Act (FISMA) of 2014 says every federal agency must have a formal cyber security program that includes a risk management review of a system before it’s used for the government, whether the government owns it or they’re contracting that service from someone else. From this, all federal assessment and authorization frameworks are created by the National Institute Standard of Technology (NIST), the federal agency was tasked with providing general guidance on federal cybersecurity. From NIST, we get a series of different assessment and authorization frameworks for different government agencies and covering various services including NIST 800-171, FedRAMP, CMMC and more. These frameworks are also adopted and modified for State and Local government agencies, for example, StateRAMP. 

Are there any prerequisites for Federal Compliance?  

Federal compliance authorization assessments typically require a federal or other government agency to sponsor your organization’s system offering. If you don’t have an agency that’s sponsoring you through a federal assessment and authorization program, you will most likely not be able to start the assessment. 

What is Risk Management Framework?  

The Risk Management Framework (RMF) is the basis for all federal compliance assessment and authorization programs. RMF is tailorable and specific to each federal agency based on their implementation requirements to meet FISMA. 

What is FedRAMP? 

With the introduction of cloud technology, organizations working with one agency can now have a wide impact across more than any single agency, which led to the creation of the FedRAMP program. FedRAMP is required by any cloud service provider seeking to do business with the Federal Government. Unlike other federal compliance assessments, FedRAMP is a framework that is the same for all agencies within the federal government. A single FedRAMP assessment can be leveraged or reviewed by any Federal agency for them to authorize the use of, or procurement, of that service or product. 

How Long Does FedRAMP Take?  

FedRAMP is very granular, it’s very prescriptive, and it’s very rigorous, making it one of the longest assessment processes. The prep for beginning a FedRAMP assessment can typically take anywhere from six months up to eighteen months. The actual assessment may take anywhere from four to six months. Because of the granularity of the FedRAMP process it’s important to use an experienced assessor who has experience doing many assessments and has the ability to conduct the assessment in the most efficient and effective manner. 

What is StateRAMP 

StateRAMP is the state and local government equivalent of FedRAMP and allows a company offering services to state and local governments to achieve authorization to do business with them. The advantages of going through a StateRAMP assessment are that they allow an organization to conduct business with multiple different state governments using one assessment.  

What is CMMC?  

The Cybersecurity Maturity Model Certificate (CMMC) is a new compliance developed by the Department of Defense (DoD) to ensure that cybersecurity controls and processes adequately protect Controlled Unclassified Information (CUI) that resides on Defense Industrial Base (DIB) systems and networks. It will be required for any organizations that work with CUI and are interested in conducting business with the DoD.  

Interested in learning more about which compliance assessment is right for you? Get in touch today with one of our compliance experts at [email protected].

Pursuing a SOC 2 audit brings value to your organization in a number of ways. The in-depth audit provides you with increased insight into your security posture and gives you a better understanding of your opportunities to improve controls and processes. A SOC 2 audit also provides a competitive advantage and boost to your organization’s reputation — customers and prospects can rest assured knowing your organization takes security seriously. 

A SOC 2 audit isn’t just a one-time exercise. The audit must be renewed yearly. Consistently renewing your SOC 2 audit builds continuity with your controls and processes and helps to ensure that everything you put in place continues to function as needed.  

The renewal process may sound time consuming at first, given how in-depth the initial SOC 2 audit process can be for an organization. But renewals don’t have to be a burden.   

Here are some tips and tricks to help navigate the renewal process so you can save time and money, and use internal resources strategically.  

1. Work with the same auditor 

If you were happy with your service during the initial SOC 2 audit, work with the same vendor for the renewal process. Working with the same auditor year after year will create efficiencies in the audit process. The vendor will become familiar with your environment and internal processes, and you’ll avoid the time-consuming task of onboarding a new audit firm each year — which can take weeks.  

If the vendor uses audit management software to streamline the evidence collection or audit process (like A-SCEND), you may also benefit from rollover features within that technology. Rollover features automatically collect and update information based on what was collected into the system in past efforts. This speeds up the evidence collection process and can condense your renewal timeline greatly.  

2. Consider a multi-year bundle 

Oftentimes auditors will offer a multi-year bundle package, allowing you to pay upfront for a certain number of SOC 2 renewals. It’s a great way to save money in the long run — and plan your budget ahead of time. With a multi-year bundle, you lock into a certain price per renewal. Otherwise, renewal prices may increase year over year as your business scales and the economy changes. 

At A-LIGN, we offer a three-year bundle package for customers. The bundle includes access to our SOC 2 certified experts, as well as use of our audit management software, A-SCEND, which streamlines the audit process for your team.

3. Allocate internal resources 

Continuity on the auditor side is great — as is continuity within your organization. It’s helpful to utilize the same internal resources each year (when possible) to manage the SOC 2 audit and renewal process.  

The initial SOC 2 review process requires a lot of heavy lifting. But subsequent years tend to be more efficient because your team has a better understanding of what is required based on the prior year. Each year gets easier and the more consistency you can create within your internal SOC 2 leads, the better.  

Renew your SOC 2 with A-LIGN 

A-LIGN is the top issuer of SOC 2 reports in the world. We combine industry expertise and a leading compliance automation software platform to make the SOC 2 audit and renewal process seamless for your team.  

Contact us today to speak to a SOC 2 expert about the SOC 2 renewal process and our multi-year bundle options.  

Our 2022 Compliance Benchmark Report detailed how organizations are navigating the current compliance landscape, as well as how they are preparing for the future. By surveying more than 200 cybersecurity, IT, quality assurance, internal audit, finance, and other professionals, we learned how organizations make their compliance programs run smoothly and efficiently, along with where there may be areas for improvement for businesses of all sizes and across all industries.   

Here are five compliance management key takeaways from the 2022 Compliance Benchmark Report that you can use to improve your organization’s compliance program.   

Key Takeaway #1: Develop a Ransomware Preparedness Plan 

Organizations across all industries have concerns about the increased number of cyberattacks worldwide. In fact, a full 83% of survey respondents said they believe they would be impacted by an attack on critical infrastructure. 

The heightened concern for ransomware attacks has caused many organizations to dedicate more time and effort to create a strategy to prevent attacks and reduce the potential damage if — or more likely, when — an attack does occur. Our 2022 Compliance Benchmark Survey found that 40% of organizations are planning to develop a ransomware preparedness plan this year.   

Key Takeaway #2: Implement a Zero Trust Architecture 

Zero trust is an IT security model that focuses on restricting information access within an organization to only those who need it. The zero-trust approach is to assume that threat actors are present both inside and outside an organization, meaning no users or machines are trusted by default.  

When it comes to zero-trust adoption, our survey found that 73% of organizations with $50M – $1B in annual revenue agree/strongly agree about the need to adopt a zero trust security strategy. That number dropped significantly to 45% for companies with less than $5M in revenue. Larger companies may believe they are a top target for cybersecurity attacks, causing them to take initiative and further protect their systems and information. 

However, it is essential for all organizations to implement a zero trust architecture. As overhauling a business’ network infrastructure is a very disruptive task, it’s important to troubleshoot possible scenarios that may occur during the implementation process before you begin. To learn more about how to implement zero trust at your organization, read our blog post about the recommended steps to take

Key Takeaway #3: Simplify Compliance Audits with an Audit Consolidation Strategy 

Completing multiple security audits is one of the most surefire ways to find gaps in protection. However, with so many worthwhile audits to pursue, it can be difficult to manage multiple workstreams and keep track of varying control elements.  

Audit consolidation — or, conducting audits in tandem as a singular annual event — is a simple way for organizations to maximize both cost and time efficiency. 

One of the biggest findings we uncovered during our research is that even though 85% of organizations conduct more than one audit every year, only 15% of the same organizations have consolidated their audits down to a single, annual event.  

A-LIGN’s audit management platform, A-SCEND, allows organizations to gain instant visibility into their compliance standing and view how close they are to completing additional certifications. A-SCEND’s Crosswalk feature demonstrates how easy it is to deduplicate efforts across multiple certifications by using evidence form your current and/or prior audits.  

Read more about audit consolidation strategies, and how you can strategically manage resources within your business, here

Key Takeaway #4: Move from Tactical to Strategic Compliance 

Even with frequent economic turmoil, organizations will continue to prioritize their dedication to cybersecurity, investing in measures that prove an organization’s commitment to cybersecurity.   

Our team found that SOC 2 is the report or certification that helped close the most deals, as it is the most requested report or certification by clients. That may be the reason why 67% of our survey respondents said they were either currently completing a SOC 2 audit or had one scheduled within the next year.  

Compliance audits and attestations continue to be valuable differentiators for organizations looking to attract new customers. Read more about how organizations are using audits and attestations to increase revenue, garner new business, and stand out from the competition.  Key Takeaway #5: Streamline Compliance with Auditor-Assisted Software 

One of the most significant changes we saw in this year’s report was the large increase in the number of organizations using technology to assist compliance efforts. In 2021, only 25% of organizations we surveyed used software to prepare for their audits and assessments. But in 2022, that number skyrocketed to 72%.  

The two main reasons for this dramatic increase are: 

  • Increased awareness of compliance-related software. 
  • A rise in auditor adoption and advocacy of compliance software. 

Compliance software allows companies to do more with less, streamlining the audit process and helping organizations overcome stressful resource deficits. Get up to speed on how companies are using this technology to assist compliance efforts, and how you can implement auditor-assisted software in future assessments.  

Start the New Year with Proactive Compliance Management 

Our annual compliance benchmark report provides a pulse on compliance and cybersecurity trends across industries and organizations. To see how your organization’s compliance protocols compare to others, fill out our 2023 Compliance Benchmark Survey and keep an eye out for our 2023 report coming in Spring 2023. 

Looking to learn more about how audit consolidation and compliance software will save your organization time, resources and budget? Complete the form below to speak with one of our compliance experts. 

With the cost of cybercrime skyrocketing, now is the time for organizations to enhance their cybersecurity programs. The best way to find gaps in protection comes from completing multiple security audits but it can be cumbersome for organizations to manage multiple audit processes. Enter, audit consolidation!  

By consolidating multiple audits into a single process, organizations save time and resources while increasing efficiency. In our graphic below, our experts breakdown how organizations can best streamline the multiple audit process. 

A LIGN Audit Consolidation Infographic
A LIGN Audit Consolidation Infographic 0 1 Final

Building Your Master Audit Plan

The majority of organizations complete two to three separate audits per year. Creating a master audit plan (MAP) will save your organization time and money by streamlining the audit process and increasing efficiency. 

A-LIGN works with organizations throughout the entire audit process, from readiness to report, across multiple security compliance frameworks. Our team of auditing experts will ensure your MAP scales with your business and reflects the evolution of your personal audit process. 

Ready to create a MAP and begin consolidating your audits? Contact one of our experts to get started today! 

In 2020, hackers broke into the networks of the Treasury and Commerce departments as part of a months long global cyberespionage campaign. It happened after malware was slipped into a SolarWinds software update — a popular piece of software used by multiple U.S. federal agencies. 

As expected, the incident prompted the Federal government to update its software security requirements. In this blog post, we’ll review the new federal compliance requirements — “Enhancing the Security of the Software Supply Chain through Secure Software Development Practices” — and discuss the impact of this change. 

An explanation of changes 

The updated guidance from the Office of Management and Budget (OMB) represents a commitment to furthering the maturity of the Federal government’s approach to supply chain risk management. It builds on other recent initiatives from the Biden administration, including the federal zero trust strategy.  

The guidance represents an attempt to ensure security in open-source software to protect federal data. The OMB memo requires agencies to ensure their software is developed in line with two documents published earlier this year by the National Institute of Standards and Technology (NIST):  

  • Secure Software Development Framework (SSDF) 
  • Software Supply Chain Security Guidance 

Currently, instead of a third-party audit, agencies only need to obtain a self-attestation from the software producer that the vendor follows the NIST practices. If software vendors don’t meet all of the NIST practices, agencies may accept a “plan of action and milestones” from the vendor outlining how they will update their cybersecurity practices to meet the NIST practices. 

The impact of federal compliance updates 

This guidance impacts software producers who service the Federal government. The guidance must be applied to all software developed in the future, as well as any updates to existing software used by the Federal government.  

As such, we will see a trickle-down effect into federal contracts that procure or use vendor software solutions — especially in the cloud. Contracts will include more stringent cybersecurity protocols to meet the requirements within the memo.  

Areas of concern 

While we applaud the evolution of federal compliance standards and government cybersecurity protocols, we do see two main areas of concern with the new guidance: the software bill of materials, and the acceptance of a self-attestation. 

Software Bill of Materials (SBOM) 

As part of the new requirements, federal agencies have 90 days to inventory all third-party software. After that, agencies must communicate relevant requirements to vendors and collect attestation letters.  

This is easier said than done. Maintaining an accurate and current inventory of software and hardware has always been an issue, especially for enterprise-level organizations. Now, there will be greater scrutiny of this inventory management. We anticipate logistical issues getting this off the ground that could delay the implementation of these new software security requirements.   

Self-Attestation 

The memo allows agencies to accept a self-attestation from software vendors, attesting to the vendor’s adherence to NIST frameworks. Unfortunately, that hasn’t always worked well in the past. 

You may recall that the Defense Federal Acquisition Regulation Supplement (DFARS) allowed DoD contractors and subcontractors to self-attest to their adherence to NIST SP 800-171. After auditing a handful of contractors, the DoD realized too many deficiencies within these organizations that self-attested to their NIST compliance. To mitigate this issue, the DoD updated DFARS to introduce the Cybersecurity Maturity Model Certification (CMMC). This included a certification process via CMMC Third Party Assessment Organizations (C3PAOs) that replaced the self-attestations.  

We anticipate similar issues will arise with this new OMB guidance. It’s likely that self-attestation is just an initial step to help get this program off the ground. In the future, these new compliance requirements may eventually roll into an existing federal cybersecurity framework that requires independent validation.  

How to approach federal compliance 

If you are a software vendor servicing the Federal government, you should expect to see more stringent cybersecurity requirements trickle into your government contracts. To prepare — and eliminate the risk of losing your existing government contracts — it’s best to pursue federal assessments and compliance initiatives that attest to your cybersecurity maturity. These may include: 

A-LIGN can help meet all of your federal compliance needs. Contact our experts today to learn more.

The ongoing increase in cyberattacks has emphasized the importance of cybersecurity and compliance management, especially for startups still gaining market share. As startups work to win new customers, they may have to overcome a prospect’s fears that as an organization so new, they may not have strict security protocols in place to keep their information and data secure. 

Compliance certifications and reports help startups earn customer trust so that customers feel more secure working with small businesses. Bonus- Third-party attestation to the security of your systems makes your startup look much more mature to investors, which means more opportunities for money in your pocket! 

However, compliance authorization and attestation programs can seem overwhelming because of all the pieces organizations need to consider — especially the strain it can place on startups with already-limited resources.  

Compliance for startups doesn’t have to mean spending all of your time and money on compliance initiatives immediately. Take a layered approach to compliance, treating the process like a marathon instead of a sprint, to ensure your organization does not act outside of its means. Here are four important compliance management tasks to complete in order to begin your cybersecurity journey on the best foot: 

  1. Determine your risk areas. 
  1. Invest in technology, including internal education and security tools. 
  1. Establish and test an incident response and business continuity plan. 
  1. Select an auditing firm. 

1. Determine Your Risk Areas 

All startups must first take inventory of what they are trying to protect to understand where to focus their compliance and cybersecurity efforts. To determine a company’s most valuable assets, startups should ask themselves:  

  • ​​What are the risks across my infrastructure? 
  • What’s the likelihood of the risk occurring? 
  • What are the implications of that risk?  
  • What’s the cost of NOT doing something to address the risk? 

Once these risks are assessed, it’s important to communicate the findings to the entire company. Making sure everyone is on the same page ensures resources are responsibility divided amongst priorities.       

After determining their risk areas, startups can begin pursuing compliance for various standards. Many startups choose to become SOC 2 compliant first, as its strict protocols provide reassurance to potential customers. But there are also other relevant compliance standards for specific individual industries, such as HIPAA for healthcare startups or PCI DSS for startups processing financial/credit card data. 

2. Invest in Technology, Including Internal Education and Security Tools 

Organizations are only as secure as their weakest link, which usually tends to be their people. Educating and training employees should be considered just as important as implementing technical controls to protect information. Internal team members must understand how they can help avoid — or at least reduce — the risk of a cyberattack. 

For startups to establish a secure environment at the most basic level, they should:  

  • Ensure each department follows existing policies and is properly using the most updated version of relevant security controls.  
  • Ensure all employees are using a VPN if they are not working from a secure office location. 
  • Provide security awareness training for employees to ensure they are knowledgeable about current threats and best practices to prevent an event from occurring.  
  • Establish a process of multi-factor authentication for all log-ins. 

3. Establish and Test an Incident Response and Business Continuity Plan 

There is no way to completely eliminate the possibility of a cyberattack. This is why it’s so essential for startups to have an incident response plan in place well ahead of time.  

When creating an incident response or a business continuity plan, startups should consider including each of the following steps to maximize the plan’s efficiency:  

  • How to assess the technical impact of a breach or incident  
  • How to identify compromised data 
  • How to determine the organizational impact of a cyberattack 
  • Best practices for notifying relevant parties 
  • Plans to execute a PR strategy after an incident has occurred 
  • Plans to implement third-party monitoring 

There are third-party organizations that can audit your startup’s response plan. Some organizations, like A-LIGN, even offer assessments to see how your response plan would withstand a ransomware attack or major cybersecurity event. These assessments can help you find holes in your frameworks in a non-emergency situation, allowing you time to make revisions. 

4. Select an Auditing Firm 

Once your startup reaches a certain level of compliance and cybersecurity maturity, it’s time to bring in an auditing firm to help you continue on your journey. A firm should be able to act as a trusted partner who can help you navigate the intricacies of the compliance management and security landscape. They can also guide you on which compliance tasks/frameworks make the most sense for your industry. 

Certain federal agencies require the organizations they do business with to obtain specific authorizations, like FedRAMP or StateRAMP. These two authorizations have lengthy auditing processes that can be time consuming for well-established organizations to manage on their own. Startups may have even fewer internal resources. 

A-LIGN will work with you to acquire the proper certifications as needed and will partner with you to ensure your organization continues to properly mitigate risk as it grows.   

Prioritize Compliance Today 

When it comes to compliance management for startups, your organization can start taking a proactive approach to security today — even if you only have limited financial resources.  

A-LIGN is well-versed in meeting the requirements of a broad range of compliance standards and security frameworks including SOC 2, PCI DSS, ISO 27001, GDPR, FISMA, FedRAMP, and NIST-based frameworks. Our advisors and auditors can help guide your startup on its compliance journey and partner with your team to help you meet all compliance needs. 

With the right partner in place, you can start scaling your business. Begin your compliance journey with A-LIGN today. 

What is StateRAMP and How Does It Relate to FedRAMP?

by: A-LIGN And Pinal Desai 27 Oct,2022 7 mins

StateRAMP provides a comprehensive security framework designed to improve cloud security for state and local governments. Learn the ins and outs of the StateRAMP compliance framework, its relationship with FedRAMP and how StateRAMP could impact your business. 

As cyberattack attempts carried out against state and local governments continue to become more prevalent, government agencies are in dire need of a way to modernize and systematize their cybersecurity practices — especially regarding cloud technologies. That’s where the State Risk and Authorization Management Program (StateRAMP) comes in.  

According to Comparitech, various ransomware attacks cost the U.S. government close to $19 billion in 2020. And recent ransomware attacks on state-run facilities have highlighted the importance of increased and improved cybersecurity measures for state and local governments.  

StateRAMP provides a comprehensive security framework designed to improve cloud security for state and local governments. It delivers a uniform approach to verifying that cloud service providers (CSPs) meet the standards and regulations needed to do business with state and local governments.  

As I outline the details of the StateRAMP compliance framework and its relationship with the Federal Risk and Authorization Management Program (FedRAMP), you will see how, and if, this could impact your business. 

The StateRAMP and CSP Relationship 

As mentioned above, StateRAMP was created to help state and local government agencies manage and verify the cybersecurity posture of third-party vendors that provide cloud technology solutions, also known as CSPs. This is important because CSPs have been replacing on-premise information technology (IT) solutions at a rapid rate over the past 10+ years.  

CSPs offer government agencies cloud computing solutions and services like Software as a Service (SaaS), Platform as a Service (PaaS), and Infrastructure as a Service (IaaS), all of which are designed to improve an organization’s agility and scalability. Gaining advanced storage, computing, and analytics capabilities has become essential for many government agencies to increase collaboration and remote accessibility while gaining deeper insights into their data.   

As government agencies adopt StateRAMP to enhance their cybersecurity posture, CSPs that respond to RFPs in those states will need to prove they are StateRAMP authorized. This will be a requirement for any CSP proposals to be considered by certain local government agencies.  

StateRAMP’s Solution for State-based Cybersecurity    

The StateRAMP framework was created by the StateRAMP non-for-profit organization in response to the encroaching cyber threat crisis that stands to disrupt modern life in unprecedented ways. According to StateRAMP, the program’s purpose is to: 

  • Help state and local governments protect citizen data. 
  • Save taxpayer and service provider dollars with a “verify once, serve many” model.  
  • Lessen the burdens on government.  
  • Promote education and best practices in cybersecurity among those it serves in industry and government communities.  

Protecting Citizen Data 

In the recent onslaught of ransomware attacks, it is frequently citizen data that’s held hostage by threat actors who demand a payout. This data is often personal identifiable information (PII) that, if exposed, can allow hackers to commit identify theft or monetize the stolen data on the dark web.  

Because state and local government officials are elected to serve the needs of their citizens, keeping personal data safe is a major priority. 

Verify Once, Serve Many 

StateRAMP makes things easier for CSPs by allowing them to transfer their credentials and certifications across a set of uniform standards. The “verify once, serve many” model was designed so CSPs only need to have their cloud offering or product authorized once to confirm its cybersecurity standards are adequate. This authorization is then enough to be recognized by other government agencies that adopt StateRAMP.  

Government employees and officials are able to join StateRAMP at no cost as the program is entirely vendor-funded. This ensures enhanced cybersecurity is accessible for all state and local government agencies, regardless of size or budget.  

Lessening the Burden on Government 

Related to the last point, the StateRAMP model alleviates strain on state and local governments by removing the need for them to conduct redundant security assessments. In addition to being cost efficient because StateRAMP removes the need for repetitive CSP security assessments, it saves countless hours and staffing needs that could be better utilized elsewhere.  

For example, before StateRAMP, a government agency might have to review a dozen CSP vendors that responded to an RFP, even if they knew only a few of them would likely have acceptable cybersecurity standards in place. With StateRAMP, governments don’t have to waste valuable resources doing assessments for organizations that are severely lacking in cybersecurity maturity.  

Promoting Cybersecurity Education and Best Practices 

In the constantly evolving landscape of cybersecurity and compliance, it can be tough to stay up to date on the latest developments and regulations. StateRAMP aims to be as transparent as possible about policies and procedures, making cybersecurity knowledge available for anyone who wants to learn. In fact, the StateRAMP website provides a wealth of documents, templates, and other resources related to StateRAMP compliance.  

After all, StateRAMP was designed to ensure government agencies and CSPs truly understand the reasoning and mechanisms behind the StateRAMP framework.   

How Does StateRAMP Work? 

Much like FedRAMP was created to provide a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services that store, process and transmit federal information, StateRAMP was designed to do the same for state and local government agencies.

StateRAMP’s Security Assessment Framework process is modeled after the National Institute of Standards and Technology (NIST) Risk Management Framework. Its primary requirements for CSPs seeking authorization include: 

  • Compliance with the security standards listed in NIST Special Publication 800-53 Rev. 5
  • A relationship with a Third-Party Assessment Organization (3PAO) that serves as a partner and educator throughout the entire process.
  • Producing an in-depth security report in collaboration with a 3PAO that proves the organization has all the necessary controls in place and meets all requirements for authorization.  
  • Participating in continuous monitoring to demonstrate that the organization continues to maintain StateRAMP compliance.  

To have a cloud offering or product become StateRAMP authorized, CSPs must work with their 3PAO to identify their impact level category based on the type of government data they handle, and the consequences that would result if a breach were to occur.  

Each of the four categories corresponds with a defined set of security controls which align with familiar FedRAMP impact levels: 

  • Category 1 – This is the baseline any CSP has to meet. It maps to systems that involve publicly available data. Category 1 aligns with the “low” impact level in FedRAMP. 
  • Category 2 – This category covers data that is not available to the public, such as PII. Category 2 aligns with the “low” impact level in FedRAMP and contains some elements of the “moderate” impact level control baselines. Category 2 will continue to be developed and validated throughout this year.  
  • Category 3 – This category involves confidential data and systems that are of high criticality to the continuity of government. Category 3 aligns with the “moderate” impact level in FedRAMP.
  • Category 3+ – This category is reserved for FedRAMP High authorized systems for reciprocity with StateRAMP.  

StateRAMP also provides an official data classification tool that includes a brief survey to help government agencies determine what StateRAMP security category requirements they need to include in their RFPs. This tool can also help CSP better understand the StateRAMP security categories and what they entail.  

Why Is StateRAMP Necessary?  

With so much overlap between StateRAMP and FedRAMP frameworks, you may be thinking, “Why doesn’t a CSP just seek FedRAMP authorization for their products and achieve the same security outcome?”  

It’s a fair question. FedRAMP built a reputation as a model security program over the past 10 years and has authorized hundreds of cloud products. Prior to this year, many CSPs that offered cloud solutions to state and local government agencies found themselves using FedRAMP security guidelines, but were still unable to achieve official FedRAMP authorization. This is because FedRAMP was specifically designed for federal agencies. This means organizations cannot obtain FedRAMP authorization without doing business with the federal government.  

For this reason, a coalition of industry members decided to form the StateRAMP not-for-profit organization to bring FedRAMP’s standardized cloud security approach to state and local governments. As a growing number of states plan to join StateRAMP (the StateRAMP organization is in talks with hundreds of government officials across 35 states and counting), it would be wise for CSPs to start preparing for StateRAMP authorization sooner rather than later.   

In addition to enhancing cybersecurity by providing a uniform approach to risk-based management, accomplishing StateRAMP authorization can help CSPs save time and resources by allowing them to re-use their security authorization across multiple government agencies. StateRAMP also increases transparency and trust between government agencies and CSPs, reducing the likelihood of any miscommunication, oversights, or errors that could affect potential contracts or working relationships.  

Note: For CSPs that do business with both federal and state/local government and are already FedRAMP authorized, a reciprocity program is in process that will allow these organizations to take an accelerated path to StateRAMP authorization.  

Get Started with StateRAMP  

In a time when the public and private sectors are realizing they must work together to keep out threat actors, StateRAMP is a significant milestone for transparency, standardization, and community in cybersecurity.  

If your organization requires StateRAMP authorization to do business with a state or local government agency, A-LIGN can help put you on the right track. Drawing from our extensive experience as a 3PAO for FedRAMP, A-LIGN is one of the only StateRAMP-registered assessors on the market today. Contact us to learn more about how you can get started with StateRAMP. 

If your organization currently serves, or is seeking to serve, cloud products or solutions to a federal agency then you already know you must undergo a Federal Risk and Authorization Management Program (FedRAMP) assessment. The experts at A-LIGN have put together a comprehensive FedRAMP Authorization guide to help you prepare for the assessment.

Created in 2011, FedRAMP provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services relied upon by federal entities that store, process, and transmit federal information. The goal of FedRAMP is to provide a set of agreed-upon standards to be used for cloud product approval.  

Once you’ve secured agency sponsorship and developed a System Security Plan (SSP) based on your defined categorization level (Low, Moderate, or High), it’s time to work with a FedRAMP 3PAO to perform your Security Assessment. That’s where A-LIGN comes in. A-LIGN is an accredited FedRAMP 3PAO (third-party assessment organization) and one of the top 3 FedRAMP assessors in the world.  

Here is a look at the step-by-step process you’ll need to complete to earn FedRAMP authorization with A-LIGN.  

Before you begin 

This article is intended for companies that have already secured a sponsor and developed an SSP. If you haven’t yet done that, we recommend you take some time to research the FedRAMP process and potentially conduct a FedRAMP readiness assessment. 

Research 

At A-LIGN, we recommend organizations review the following materials to ensure they have a baseline level of knowledge to help prepare for the FedRAMP assessment process: 

Readiness assessment 

Organizations that are familiar with the controls within NIST 800-53, and are FISMA certified, can jump right into the FedRAMP process. If you are not familiar with FISMA or FedRAMP, and have never written a system security plan, we recommend that you perform a FedRAMP readiness assessment, or gap assessment, to determine your level of readiness for the 3PAO assessment. 

A-LIGN can conduct a readiness assessment for you, in which we will review your environment and determine if it is technically capable of meeting FedRAMP requirements. This is a great way to get a pulse on your current environment before investing time and resources into a full assessment.  

Step 1. Pre-assessment review (1-4 weeks) 

If you are ready for an official assessment and have signed a contract with A-LIGN, then we’ll kick off our work with a pre-assessment review phase. During this phase, you will finalize the Cloud Service Offering System Security Plan — which you previously developed — and provide the SSP package (including all attachments) to A-LIGN for review. 

We will use that information to perform a FedRAMP Pre-Assessment Review. During this review, we’ll ensure we have everything we need to proceed with the assessment without any delays. Keep in mind that the quality of the evaluation is dependent on the accuracy and volume of information you provide to us. The more you can provide, the better. 

Once the review is complete and it has been determined you are ready for the FedRAMP assessment, we will schedule a kick-off meeting with you, and our team at A-LIGN to plan out the full assessment.  

Step 2. Planning activities (4 weeks) 

After the Pre-Assessment Review phase, you will need to submit responses to the initial Information Request List (IRL) that A-LIGN provides. While you are working on the IRL responses, we will submit a few materials to your sponsor to review. These include: 

  • An Authority to Test (ATT) – This is part of our penetration test planning. 
  • A Security Assessment Plan (SAP). 

Step 3. Assessment activities (7 weeks) 

This is the longest phase of the FedRAMP process and consists of fieldwork. The fieldwork is split into phases where we interview members of your team about your cloud service offering and the security controls implemented and review the evidence confirming the proper implementation of FedRAMP security requirements. Keep in mind that we do not begin our evidence review until at least 90% of the IRL evidence is provided by your team. It’s important to plan ahead, so we can stay on schedule throughout the assessment process and avoid delays.  

We will also conduct a penetration test at this time. The penetration test is required for all FedRAMP Authorization assessments for Moderate and High impact systems. Although the penetration test is not a requirement for FedRAMP Ready assessments, it is recommended as a safety net to eliminate any surprises we may encounter during the actual authorization testing. 

Once we conduct the penetration test and get through a majority of the evidence review, we will analyze and discuss the findings with your team via a draft risk exposure table (RET). Once that draft RET is provided to your team, you can create a plan of action and milestones (POA&M) to remediate these issues.  

Step 4. Reporting activities (5 weeks) 

Upon completion of our full evidence review and penetration test and any remediation to correct findings outlined in the draft RET, a draft Security Assessment Report and penetration test report will be provided for review.  

We will analyze and discuss the findings with your team after the remediation period and before drafting a report for you. Once the final report is complete, it will be sent to your Sponsor who will review the SSP and the SAR together. 

Step 5. Sponsor issues authority to operate (2-3 weeks) 

After the Sponsor completes their review, the Sponsor will issue an ATO and the FedRAMP Authorization Package will be sent to FedRAMP to review. Once FedRAMP’s review is complete, you will get your cloud solution offering’s official designation as a FedRAMP Authorized. FedRAMP will list your cloud solution offering as “Authorized” on the FedRAMP marketplace.   

Step 6. Maintain authorization 

It’s important to remember that FedRAMP authorization is not a set-it-and-forget-it process. Ongoing assessments are required to maintain FedRAMP authorization, as annual assessments are required along with meeting FedRAMP continuous monitoring requirements with your Sponsor. 

The A-LIGN team can provide annual assessments (including penetration testing, control assessments, systems scanning, and more) to ensure your cloud solution offering maintains FedRAMP compliance. 

We can also conduct one-off assessments to ensure compliance after your organization undergoes major changes (like an acquisition). During a “Significant Change Request Assessment,” we will review and assess any significant changes that may impact your compliance with FedRAMP requirements. 

Get Started with A-LIGN 

At A-LIGN, we are one of the top FedRAMP assessors in the world, with a 96% satisfaction rating from our customers. Our experts can help you through every step of the process  — from a readiness assessment to final authorization.  

Contact A-LIGN today to learn more about our FedRAMP services. 

There are four different baselines and impact levels of FedRAMP authorization: Low Impact SaaS (FedRAMP Tailored or LI-SaaS), Low, Moderate, and High impact. These categories differ based on the number of control sets each has as its baseline. 

The majority of FedRAMP-authorized organizations pursue Moderate authorization. But today, more and more cloud service providers (CSPs) are looking to move from their Moderate authorization to a High authorization. This higher authorization allows organizations to work with government entities that require more stringent protocols to protect the Federal government’s most sensitive unclassified data. 

Along with opening the door to more business opportunities, higher impact levels can make an organization look more attractive to clients. A higher impact level highlights an organization’s stringent adherence to specific cybersecurity controls, which can provide an extra level of reassurance for clients.  

Here’s how organizations can move from the Moderate impact level to the High impact level. 

FedRAMP Impact Levels Explained 

The Federal Risk and Authorization Management Program, or FedRAMP, is the U.S. Federal government’s internal approach to securing the cloud services that its agencies use. FedRAMP grants authorizations at four impact levels: Low Impact SaaS (FedRAMP Tailored or LI-SaaS), Low, Moderate, and High. Each level has different control sets as its baselines: 

  • Low Impact SaaS (FedRAMP Tailored or Ll-SaaS): Ll-SaaS is a subset of low impact and typically includes at least 50 of the controls to be independently assessed. This tailored baseline accounts for SaaS applications that do not store personal identifiable information beyond what’s required for login capability, such as usernames and passwords. Therefore, organizations that achieve the LI-SaaS level would only experience minor adverse effects should a loss of confidential information occur. Information about the security controls required for this designation can be found here
  • Low Impact Level: Low includes approximately 125 controls. Organizations that achieve the low authorization status would only experience limited adverse effects should a loss of confidential information occur. Information about the security controls required for this designation can be found here
  • Moderate Impact Level: Moderate includes approximately 325 controls. Nearly 80% of organizations that receive FedRAMP authorization fall into this category. The loss of confidential information in this category would have a serious — but not catastrophic — impact on an organization. Information about the security controls required for this designation can be found here
  • High Impact Level: High includes approximately 425 cybersecurity controls. Organizations that should seek a High ATO most commonly include those working in law enforcement and emergency services systems, financial systems, and health systems. However, any organization can achieve the High impact level authorization, and they should especially pursue this level if any loss of confidential information could be expected to have a catastrophic impact on the organization. Information about the security controls required for this designation can be found here

The Process of Moving from FedRAMP Moderate to FedRAMP High 

The process of moving impact levels is relatively straightforward and is also simpler than achieving initial FedRAMP authorization. The three main steps that organizations need to take to move up an impact level include: 

  1. Receive approval from your sponsor. To begin the process of moving to a higher impact level, you first need permission from your sponsor. Identify a new sponsoring agency if the existing sponsor does not want to maintain sponsorship for a High authorization. 
  1. Complete the Significant Change Request (SCR) Form. This document, which is published on the FedRAMP website, outlines all of the additional control requirements that would need to be met to move up an impact level. The form includes a checklist of the new controls required when changing from Moderate to High impact levels and identifies those Moderate controls that change under a High impact level.  
  1. Undergo a Significant Change Assessment. Finally, an organization should complete a Significant Change Assessment with a third-party authorization organization (3PAO). It is suggested, if applicable, to perform the Significant Change Assessment during your Annual Security Assessment for continued Authorization. This would help reduce audit fatigue that can result from doing an out-of-cycle assessment and help control time and cost. 

How A-LIGN Can Help You Move from FedRAMP Moderate to FedRAMP High 

Even if an organization isn’t actively handling federal data, it can still use FedRAMP’s impact levels as a baseline to evaluate cloud security standards. Moving from FedRAMP Moderate to FedRAMP High means an organization has increased the number of controls it uses to keep sensitive information secure — something that can be attractive to clients.  

As an accredited 3PAO, A-LIGN is one of the top FedRAMP assessors in the world. We help organizations achieve FedRAMP Authorized and move to a higher impact level.  

If you are a Cloud Service Provider (CSP) looking to move from a Moderate to High FedRAMP authorization, A-LIGN can make your FedRAMP process seamless. Contact us today.