There have been several noteworthy updates surrounding the CMMC (Cybersecurity Maturity Model Certification) program since version two — CMMC 2.0 — was released toward the end of 2021.  

Below we’ll cover the key changes you need to know if your business processes CUI (controlled unclassified information) or FCI (federal contracting information) including the: 

• New title of the CMMC accreditation body (CMMC AB)   
• Projected timeline for program launch  
• Voluntary CMMC assessments status  
• Introduction of a new federal cybersecurity framework  

The CMMC AB Becomes the Cyber AB  

In early June, the CMMC AB officially changed its name to the Cyber AB. According to Cyber AB Director and CEO Matthew Travis, the new moniker was introduced to simplify the AB’s previously lengthy name as well as set the organization up for future growth into other industries.   

“I’ve had discussions with representatives of other departments of other sectors of critical infrastructure, and even other countries who are interested in the value that the CMMC model brings,” said Travis.  

Since elevated cyber threats have become the new normal, Travis says he believes passing a rigorous CMMC assessment is an effective way to “buy down risk.” The collective cybersecurity experience held by the professionals that make up the CMMC ecosystem could certainly prove beneficial in assessing risk across industries.  

No matter the future of the CMMC program, it’s important to note the Cyber AB’s primary mission remains the same as it was under its previous name: to authorize and accredit CMMC C3PAOs (Third-Party Assessment Organizations) that conduct CMMC assessments of companies within the DIB (Defense Industrial Base).  

The DFARS Interim Rule and CMMC 2.0 Timeline Update   

After the DoD (Department of Defense) released CMMC 1.0 at the beginning of 2020, the federal branch proceeded to publish the DFARS Interim Rule in September of the same year. The rule is essentially a stopgap measure intended to pave the way for CMMC and inform DoD contractors they must report compliance with NIST 800-171.  

The DoD then used the public feedback they received on the Interim Rule to restructure the program into CMMC 2.0 in November 2021. When asked about the timeline for CMMC 2.0 rollout, the DoD has frequently said the rulemaking process could take anywhere from 9-24 months, leaving many contractors wondering when requirements will be added to contracts. 

However, CMMC Director and DoD Deputy Chief Information Officer for Cybersecurity Stacy Bostjanick recently provided some clarity around the interim final rule and the CMMC 2.0 timeline. She noted the following:  

• The current plan is for the DFARS Interim Final Rule update to be released in March 2023 and go into effect after a 60-day comment period.  
• This means CMMC 2.0 requirements could begin appearing in DoD solicitations as early as May 2023.  
• However, if the Office of Management and Budget (OMB) does not approve the interim rule, these dates will be pushed out by one year and requirements will be present in contracts starting May 2024.  

Once CMMC 2.0 is officially implemented, not all contractors will be required to immediately obtain certification to handle CUI. The DoD is going to perform a phased rollout. When CMMC first begins appearing in solicitations, all contractors will have to conduct a self-assessment and provide a positive affirmation of compliance.  

During the next phase, solicitations will require either a self-assessment or third-party certification depending on the type of information involved and the associated certification level. While the timing of these phases is to be determined, contractors should not delay in preparing their information systems for CMMC assessment.  

CMMC 2.0 Voluntary Assessments  

To help incentivize proactiveness in preparing for CMMC 2.0, there will also be a voluntary interim program in which contractors can earn a certification that will be honored when CMMC rulemaking goes into effect. 

The voluntary assessment program, which may start as soon as August of this year, will allow companies to contract with an authorized C3PAO with oversight from the DIB Cybersecurity Assessment Center (DIBCAC). Companies that pass a Level 2 assessment — the level most contractors must meet for certification — will receive credit for a high-assurance DIBCAC assessment.  

Once CMMC 2.0 becomes an official requirement in 2023 or 2024, the DoD intends to allow these certifications to remain in good stead for an additional three years beyond that date.  

A New Cyber Secure DIB framework 

Another relevant update that won’t necessarily impact the CMMC certification program but is worth keeping an eye on: Pentagon Cyber Chief David McKeown says there are active discussions around creating a “cyber secure” framework for the DIB.  

“As we go forward, we are partnering with the DIB sector coordinating [council] and CISA and trying to work on how we develop a cyber secure DIB framework. We think it will be based on [the] NIST cybersecurity framework,” said McKeown.  

Inspired largely by the state of global warfare, the proposed framework would help protect not only sensitive data but also the entire supply chain to minimize widespread damage from a cybersecurity incident.  

Start Getting Ready for CMMC Today   

Have additional questions about CMMC 2.0 and how to best prepare for implementation? A-LIGN can help. As one of the first candidate C3PAOs and a top assessor of federal compliance, our firm can perform a CMMC Readiness Assessment by evaluating your organization’s security policies, procedures, and processes against the controls published in NIST 800-171.    

Contact a CMMC expert at A-LIGN today. 

You may have heard that achieving Authority to Operate (ATO) under the Federal Risk and Authorization Management Program (FedRAMP) is a complicated and time-consuming undertaking. This is likely based on the experience many cloud service providers (CSPs) have when they dive into FedRAMP headfirst without taking the time to plan and prepare for what is undeniably a rigorous endeavor.   

There are some common mistakes and misconceptions that are worth addressing to help your CSP business plan for a less stressful, more efficient path, to FedRAMP ATO status. The information in this graphic is based on the assumption that your organization is pursuing agency authorization rather than Joint Authorization Board (JAB) authorization, as this is the route the majority of CSPs take. With that in mind, here are some of the common pitfalls and some suggestions to facilitate the process.  

Next Steps 

Like virtually all areas of compliance, FedRAMP ATO comes down to having the right people, processes, and technology in place to facilitate transparency, accountability, and efficiency across the entire journey.   

  Is your organization pursuing FedRAMP Ready and/or a FedRAMP Authorized status? As a top accredited 3PAO for FedRAMP, A-LIGN has the knowledge and skills necessary to perform these security assessments.   

Have more questions about the best way to FedRAMP?  Contact an A-LIGN Expert Today  

This year, we’ve seen an influx of healthcare cyberattacks where threat actors have stolen large volumes of electronic protected health information (ePHI) and personally identifiable information (PII). It’s a familiar problem: the healthcare sector lost more than $20 billion in 2020 as the result of ransomware attacks alone. Now, the threat level is only rising.  

To protect themselves, healthcare organizations need to implement a robust cybersecurity program. From completing assessments, to partnering with cybersecurity vendors, or updating internal processes, there are specific actions healthcare organizations should pursue to minimize their risk of a cyberattack. 

In this blog, we’ll detail which steps healthcare organizations can take to help bolster their internal defenses. 

Focus on Strengthening Internal Resources 

Even more important than finding strong partners is creating a strong security structure within your own organization. To do so, begin by appointing a security officer and a privacy officer. The individuals in these roles should develop and document security and privacy policies, standards, and procedures to ensure all personnel are aware of their responsibilities. As can be said for all important guidelines, every employee should have easy access to this information.  

An internal security committee composed of stakeholders from all departments across the organization should also be established. By making sure every branch has a representative present, organizations can more easily identify cross-departmental vulnerabilities.  

The goal of the committee is to perform a risk assessment and develop controls to mitigate risk to an acceptable level. Some of those controls include: 

• Installing endpoint protection on all company devices and servers. 
• Implementing media and mobile device policies and encrypting data at rest.  
• Enforcing a strong WPA AES-256 encryption policy for all wireless networks. 
• Adopting Open Web Application Security Project (OWASP) level security when developing applications and deploying changes. The Committee must patch all systems periodically to ensure they are operating under the best practices.  
• Installing security information and event management (SIEM) tools to detect and monitor all activities within the network. 
• Ensuring the organization has put an Incident Response Plan in place, along with testing the plan on an annual basis.  

On a broader level, there are certain actions that all employees at healthcare organizations should take to aid in security efforts. These include completing a comprehensive security awareness and HIPAA training on an annual basis, ensuring all of the software they use is up to date, and reading and acknowledging their organization’s Acceptable Use Policy. 

Partner With Vendors Who Can Mitigate Risk During Healthcare Cyberattacks 

In addition to pursuing audits and assessments, healthcare organizations should seek out partnerships with vendors who specialize in cybersecurity services. 

While most organizations likely already have a dedicated IT team, they should still maintain a relationship with a breach forensic firm. Not only will a firm help an organization identify and report breaches in a timely manner, but they will also make sure the organization stays in accordance with all of the compliance standards they follow, such as the HIPAA breach notification law.  

Additionally, organizations should make sure they have a cyber insurance plan in place. As there is no framework or guideline that can 100% eliminate the possibility of a cyberattack, having an insurance policy will minimize the amount an organization would have to pay if a breach should occur.  

Focus on Compliance and Security Assessments  

There are several security compliance assessments unique to healthcare organizations that can help ensure information remains private and protected. For organizations that store, process, or transmit, ePHI, HIPAA compliance is a must. HIPAA is a U.S. law that was enacted to protect sensitive patient data. For organizations that are uncertain if they are currently HIPAA compliant, a third-party organization like A-LIGN can review current safeguards in place and identify areas where organizations can enhance their information security program. A-LIGN’s audit experts created A-SCEND’s HIPAA Readiness Assessment– the only SaaS compliance management solution that includes live auditor assistance, making it a fast and easy way to achieve HIPAA compliance. 

The most reliable ways on demonstrating HIPAA compliance is by using the HITRUST CSF to perform a certification or by using the AICPA Trust Services Criteria to perform a SOC 2+HIPAA Attestation.  

Healthcare organizations should also complete an organization-level Enterprise Risk Assessment. This assessment identifies all the critical assets of the organization, determines the threats to those assets, and ranks the risks based on the probability and impact of an asset being compromised. It’s a key step in identifying threats and implementing controls to mitigate risk.  

Another great, proactive way to protect data and mitigate risk is to conduct a penetration test. These tests simulate a network attack and illustrate how your organization would respond. It’s a great way to identify gaps in your security infrastructure and fix them before a bad actor takes advantage. 

How Organizations Can Act Now  

Throughout 2022, threat actors will likely still view healthcare cyberattacks as a worthy endeavor — especially small and mid-sized providers and their associates. To minimize the risk of healthcare cyberattacks, organizations should look to pursue relevant audits and adhere to compliance standards, partner with organizations who can assist during incidents, and bolster internal resources via key hires or the development of a dedicated security committee.  

Ready to dive in? Reach out to A-LIGN to review your HIPAA compliance or complete a HITRUST audit. 

Online activity has soared in the wake of the pandemic, and much of it, like ecommerce shopping and telemedicine, is expected to remain elevated even as we exit the health emergency. This new reality has made cybersecurity and compliance top of mind issues for business leaders, with organizations around the world making them priorities to keep customer and partner data safe. Although cybersecurity and compliance are global matters, the landscape of each looks different depending on the market and can influence how organizations do business in these areas. 

In this blog, we compare the EMEA (Europe/Middle East/Africa) market to the U.S. in the context of compliance, data privacy, and threats to cybersecurity. 

Compliance in EMEA vs the U.S. 

When it comes to compliance in EMEA vs the U.S., there is a marked difference as to what, or who, leads in creating standards: regulatory agency vs industry. In EMEA, regulatory bodies tend to guide compliance. Whether it’s the European Union (E.U.) that draws up and approves rules like GDPR (General Data Protection Regulation), or the Information Commissioner’s Office (ICO) in the UK, some type of government-driven regulatory body usually leads the way. 

In the U.S., compliance standards are often left to industry councils or associations. These include: 

• PCI DSS – The Payment Card Industry Security Standards Council (PCI SSC) was formed by American Express, Discover Financial Services, JCB International, MasterCard and Visa Inc. with the goal of managing the ongoing evolution of the PCI DSS (Payment Card Industry Data Security Standard). 
• SOC – SOC (System and Organization Controls) is an information security framework defined by the AICPA (American Institute of Certified Public Accountants). In 2021, SOC 2 was the most popular audit for cybersecurity, IT, quality assurance, internal audit, finance, and more. 
• HITRUST – In collaboration with healthcare, technology and information security organizations, HITRUST established the HITRUST CSF: a framework to comply with standards such as ISO/IEC 27000-series and HIPAA. 

Data Privacy in EMEA vs the U.S. 

The presence (or lack thereof) of regulatory bodies has had implications on data privacy across Europe and the U.S. In 2016, the European Parliament and Council of the European Union passed the GDPR which sought to protect the data privacy of European citizens. As a result of the strict regulations, companies all over the world had to alter how they do business to avoid facing stiff penalties. 

But the U.S. has not instituted a comprehensive, federal data privacy protection framework for all of its citizens (although one could be on the horizon). However, some individual states such as California, Colorado, Connecticut, and Virginia have passed their own set of regulations, with other states considering legislation at the requests of citizens. The piecemeal approach is likely to continue as individual states attempt to pass data privacy protections in the absence of comprehensive, federal legislation.    

Cyber Threats in EMEA vs U.S. 

Unfortunately, one of the areas where both the EMEA and the U.S. seem to be in lock step is threats to cybersecurity. Both regions are seeing record cybersecurity attacks as more activity moves online and to a cloud environment.  

According to Check Point research, North America experienced the fewest attacks compared to other regions around the globe, with 503 weekly per organization. But that figure is up a whopping 61% from the year prior. At the other end of the spectrum, Africa experienced the highest volume of attacks in 2021 (nearly 1,600 a week), up 13% from 2020. Europe experienced 670 attacks weekly, a 68% increase. An official E.U. report lists the top threats to cybersecurity as: 

• Ransomware 
• Malware 
• Cryptojacking 
• E-mail related threats 
• Threats against data 
• Threats against availability and integrity 
• Disinformation and misinformation 
• Non-malicious threats (breaches triggered human error) 
• Supply-chain attacks 

European organizations are playing catch up to their American counterparts when it comes to fortifying their defenses against cyber attacks, which could explain why European organizations experience 33% more cyber incidents. A 2020 study examining cybersecurity spending shows that E.U. organizations allocate on average 41% less spend to cybersecurity than their U.S counterparts. However, an IDC report published in 2021 predicted that European IT security spending will jump 8.3% in 2021, signaling an acknowledgment of the problem of rising cyber security threats and a commitment to solving it. 

As for the Middle East, cybersecurity firm Kaspersky research highlights that malware attacks are becoming a widespread epidemic, accounting for 161 million attacks and growing by 17% when compared to the last year figure – 138 million. Oman, Kuwait, Bahrain and Egypt have seen increases of 67%, 64%, 45% and 32%, respectively. Qatar and the United Arab Emirates (UAE) come in at the lower range with increases of 16% and 7%.  

According to PwC, 58% of organizations in the Middle East are increasing cybersecurity spend in 2022, up from 43% in 2021 as they attempt to protect their systems and sensitive information from growing malicious threats. 

Trust A-LIGN for EMEA Cybersecurity & Compliance 

A-LIGN is a global leader in cybersecurity & compliance. We’re experienced in helping EMEA clients achieve all the regulatory compliance necessary to do business, and also strengthen their cybersecurity posture. From SOC 2 audits to ISO 27001 compliance to GDPR gap assessments, we’re a partner you can trust.   

Contact A-LIGN to learn more about how we can help your EMEA business achieve compliance.   

Ransomware attacks are becoming more prevalent, more complex, and even more costly to businesses. According to The State of Ransomware 2022 report from Sophos, two-thirds of organizations across the world have been hit with ransomware in the past year, and 72% have experienced an increase in the volume, complexity, and/or impact of cyberattacks such as ransomware.

This is why it is imperative to have a comprehensive ransomware preparedness plan in place. But unfortunately, many businesses aren’t there yet. A-LIGN’s 2022 Benchmark Report showed that of those surveyed, only 39% of organizations have a plan in place, whereas 40% are “planning to develop” something in the future, and a full 10% said they don’t view ransomware as a main cybersecurity concern.  

This is a large discrepancy and leaves many businesses extremely vulnerable. To help you kickstart your  ransomware preparedness plan, we’re breaking down the top questions A-LIGN has received about ransomware preparedness.  

Is My Organization Susceptible to Ransomware?  

Any organization in any industry can fall victim to a ransomware attack, but the industries that are targeted the most include manufacturing, finance, healthcare, and education.  

Ransomware attacks have caused significant impacts on organizations in multiple sectors. In December 2021, a ransomware attack caused Lincoln College to permanently shut down. The late-February Bridgestone attack earlier this year halted tire production at a Toyota factory for over a week, and it took the company more than four months to fully recover. In Costa Rica, an ongoing ransomware war has caused the government to declare a national emergency, with no end to the crisis in sight.  

The severity of these attacks has raised alarms for many, driving the need for stronger ransomware preparedness plans.  

“Ransomware has become as big or bigger than advanced persistent threats,” said retired Lieutenant General Cardon. “It was once believed that if you’re a small company, you have nothing to worry about. But, from the offensive side of cybersecurity, this simply isn’t true. A small company that doesn’t think it’s a target and does not have appropriate defensive measures, will more likely be a target because they are an easy victim. Believing you’re safe just because you’re a small company makes your organization a weak link and easy target.” 

Why Should We Prioritize Ransomware Preparedness? 

The examples above show how the aftermath of a ransomware attack can prove catastrophic for an organization, in terms of financial impact, reputational damage, and even legal repercussions.  

As ransomware gangs become more sophisticated in their pressure tactics, organizations need to be prepared for a variety of attacks such as encryption, data hostage situations, or Distributed Denial of Service DDoS. Cyberattacks are costly for businesses, but also for the victims of attacks who have their personal information stolen. Organizations who lack a recovery plan run the risk of permanent reputational damage, along with fines if it was compliance failures that allowed the attack to take place.  

Even though threats may be harder to detect, public empathy appears to be declining. Some believe organizations should be doing more to keep their sensitive data protected. A growing movement against paying ransoms has emerged, with some governments considering proposed legislation banning payments.  

With so much at stake, organizations must make disaster recovery a core focus of their ransomware incident response. 

What Does a Ransomware Preparedness Assessment Entail? 

When it comes to creating a detailed preparedness plan, it helps to start with a complete ransomware preparedness assessment. A-LIGN’s industry-leading ransomware preparedness assessment service consists of three core components: identify, test, and prepare.   

Identify Key Assets and Areas for Improvement  

The first step in the preparedness assessment involves a key asset and risk profile identification. This is followed by a security capabilities maturity review based on the National Institute of Standards and Technology’s Cybersecurity Framework (NIST CSF). A-LIGN will also complete an enterprise-wide architecture review.  

Maturity Assessment: To gain an understanding of the current environment and threat landscape, A-LIGN will conduct discovery workshops to help identify potential areas of improvement in an organization’s cybersecurity posture. A-LIGN will leverage the NIST Cybersecurity Framework (NIST CSF) to evaluate the organization’s capabilities against the five unique domains of the NIST CSF, including: Identify, Protect, Detect, Respond, and Recover. 

• Architecture Review: A-LIGN will review the organization’s enterprise-wide architecture to identify potential design issues as well as areas of improvement. A-LIGN will conduct workshops with relevant stakeholders to review the current architecture, network segmentation, as well as any existing strategic plans for improvement of the architecture.  

Test How Your Organization Reacts to Real-World Attack Scenarios 

The test stage assesses an organization’s readiness to effectively respond to cybersecurity threats. It involves two types of adversarial simulations:  

• Penetration Testing: As part of the Technical Assessment, A-LIGN will test both the external and internal defense systems of an organization through the execution of penetration tests (scope and tests to be determined by management). These tests will simulate a real-world attack to test the organization’s capabilities to detect and respond to a malicious actor. 

• Social Engineering: A-LIGN will conduct Social Engineering Tests (methodology to be determined by management, however, this can include phishing, spear phishing, pretexting, vishing, etc.). A-LIGN will attempt to compromise the credentials of both privileged and non-privileged users to gain access to systems and data. 

Prepare a Detailed Response So You Can Resume Operations ASAP 

In some instances, the resulting organization-wide downtime can be as costly as the ransomware attack itself. The prepare stage is designed to close any gaps in an organization’s ransomware response and preparedness capabilities. It involves two components:  

1. BCDR Plan Review: To ensure organizations have the plans in place to recover from a cybersecurity event, A-LIGN will conduct a review of the organization’s existing Business Continuity and Disaster Recovery Plan against industry best practices to identify potential gaps and potential areas of improvement in the existing plan.  

2. Table-top Testing Exercise: A-LIGN will develop and facilitate a unique table-top test plan based on discussions with management on practical scenarios, unique industry risks, unique geographic locations, and our experience in Business Continuity Plan (BCP) test plan development. The goal of this exercise is to simulate a real-world scenario to assess the organization’s capabilities to respond in the event of a disaster.  

What Are the Benefits of a Ransomware Preparedness Assessment? 

Once your organization has completed a ransomware preparedness assessment, you gain the ability to: 

• Identify gaps in your organization’s cybersecurity plan, based on the NIST CSF, and help your team to prepare for possible future cybersecurity events. 
• Recognize and remediate the cybersecurity vulnerabilities discovered through penetration testing and social engineering. 
• Validate the security investments that are working well, and identify those that are not working as intended.   
• Have a better understanding of the quality of existing policies and procedures and determine how they can be improved to help with ransomware preparedness.  
• Feel less stress, especially amongst internal stakeholders, knowing that the organization has a rock-solid plan in place to respond to an inevitable attack.  

A strong ransomware preparedness plan doesn’t only benefit the internal members of an organization. Partners, prospects, and customers will also feel peace of mind knowing that your organization is prepared and can properly defend against and respond to cybersecurity events. 

How Do I Get Executive Buy-In for a Ransomware Preparedness Assessment? 

Deciding your organization is ready for a ransomware preparedness assessment is only part of the process: you will most likely need executive buy-in as well. 

Fortunately, the numbers supporting this move rule in your favor. Without a strong cybersecurity system in place, an organization is at risk for loss of revenue, reputation, and customers, ultimately leading to a considerable drop in profitability.  

According to Keeper’s 2021 Ransomware Impact Report:  

• Nearly half (49%) of organizations pay the requested ransom during attacks 
• 64% of organizations lost important login credentials or documents during attacks 
• 64% of organizations believe their company’s reputation has declined post-attack  
• 28% of system/network outages last at least one week — a significant amount of downtime that is very costly for businesses  

Highlighting the risk an organization faces may increase the likelihood of your organization’s executive team supporting the completion of a ransomware assessment. 

Getting Started  

With the rapid increase in ransomware attacks, all organizations should have a thorough ransomware preparedness plan in place. Before creating this plan, an organization should complete a Ransomware Preparedness Assessment to gain a better understanding of current vulnerabilities and areas that require improvement.  

Contact A-LIGN to learn more about our one-of-a-kind Ransomware Preparedness Assessment. 

There are a variety of threats to information security for an organization, in the form of breaches, ransomware attacks, and other cybersecurity incidents. To safeguard data and information, organizations must implement proper security controls. For organizations whose services are likely to be relevant to their clients’ internal control over financial reporting, a SOC 1 audit can help accomplish this goal.  

In this article, we describe the details of a SOC 1 audit and reveal the value it brings to organizations that undergo the process.  

What Exactly Is a SOC 1 Audit? 

A Service Organization Controls (SOC) 1 attestation examines and reports on a service organization’s controls over the services it provides to clients when those controls are likely to be relevant to the client’s internal control over financial reporting. A SOC 1 can also evaluate that an organization has the proper internal controls in place to secure important data and information, such as the necessary information technology controls supporting the system.  

Who Should Undergo a SOC 1 Audit? 

Organizations handling sensitive financial data, particularly those whose actions affect the financial reporting of their clients, should undergo SOC 1 examinations to demonstrate that their information is properly secured and processed accurately. These include payroll processors, payment processors, collections organizations, benefits administrators, Software as a Service (SaaS), managed-service providers (MSPs), and other similar organizations.  

SaaS or cloud-service providers (CSPs) that are currently SOC 2 compliant may still be required by their customers to obtain a SOC 1 if their service directly impacts the financial statements of their customers. 

What Is a SOC 1 Report? 

Following the completion of a SOC 1 audit performed by a licensed CPA, the firm will issue a SOC 1 report that includes a detailed description of the system, the controls examined, and the auditor’s opinion. The SOC 1 report is an “attestation” whereby management at the organization being audited attests to the controls that have been implemented. The auditors will provide an opinion on the suitability of management’s assertion and the controls tested, and management may use the document to build confidence with clients and drive changes that are needed to bolster or maintain the robustness of the system of controls.  

A SOC 1 report can be performed as Type 1 or Type 2.  A SOC 1 Type 1 attests to the design and implementation of controls at a single point in time. Your auditor will review evidence from your system as it exists at a “moment in time”. A SOC 1 Type 2 attests to the design, implementation and the operating effectiveness of controls over a period of time, usually between 3-12 months. A Type 2 provides assurance of not just how your systems are designed, but the effectiveness of their operation on a day-to-day basis.  

To help you best prepare for your SOC 1 audit, we recommend undergoing a SOC 1 Readiness Assessment to identify high-risk control gaps, giving your organization the opportunity to remediate any issues prior to the SOC 1 audit.  

What Value Does a SOC 1 Audit Bring? 

A SOC 1 audit can bring tremendous value to your business by enhancing internal procedures and positioning you favorably to partners and customers, Here’s how … 

Builds Client Trust 

A SOC 1 builds trust and may even be a requirement for doing business. If you are a B2B brand that seeks to sign or retain top-tier clients, a SOC 1 report will signal to those clients that their sensitive financial information is in good hands. It’s common for customers to request to see a SOC 1 report before they even engage with your business. If you are unable to provide a report, potential clients may walk away from a deal or opt to partner with a competitor.  

For international brands looking to expand across their borders, a SOC 1 can easily be combined with an International Standards for Attestation Engagements (ISAE) 3402 as it grants greater peace of mind to foreign business leaders.  

Builds a Better Brand Image 

For newer businesses just starting out, building your brand image is important and could mean the difference between success and failure. This is true because the business landscape is fiercely competitive, full of established businesses that have been successfully operating for generations, and upstarts also looking to gain market share.

Larger, established organizations are likely to already have earned a SOC 1 attestation. When you don’t have much history to fall back on, you need to find ways to introduce your brand in the best possible light. A SOC 1 report does just this by demonstrating that your company takes information security seriously. Simply put, brands that earn their SOC 1 have a material competitive advantage over those that have not.  

Builds Efficiencies 

While a SOC 1 demonstrates compliance with an organization’s controls over the services it provides to clients when those controls are likely to be relevant to the client’s internal control over financial reporting, it can also assist organizations in identifying and monitoring the security controls they’ve implemented to safeguard sensitive data and information.

It is an internationally recognized standard that is familiar to organizations all over the world. By completing a SOC 1 annually, a company can confirm and signal the robustness of their system of controls. Organizations usually have their own audit process when signing clients or partners but will often allow a SOC 1 report in lieu. It’s a far more efficient process that saves time and money. 

How Do I Complete a SOC 1 Audit? 

Partnering with a licensed CPA is the first step in your SOC 1 journey. All audits are completed in accordance with the Statement on Standards for Attestation Engagements (SSAE) 18. As a requirement, your company will work with the CPA to define what the control objectives are in relation to the in-scope systems. In determining the proper control objectives, the auditor will do the following: 

• Identify aspects of the organization’s controls that may affect the processing of the user organization’s transactions 
• Determine the flow of significant transactions through the organization 
• Assess whether the control objectives are relevant to the user organization’s financial statement assertions 
• Evaluate whether the controls are suitably designed to prevent or detect processing errors that could result in material misstatements in user organization financial statements, and determine whether these controls have been implemented 

Start Your SOC 1 Journey 

A-LIGN is a security and compliance partner as well as a certified CPA firm that has completed over two thousand SOC 1 assessments. Get started on yours by contacting one of our experts and we’ll guide you through your journey to SOC 1 compliance.

With the rise in cybersecurity attacks comes wariness from customers — no one wants to work with an organization that has an increased risk of falling victim to an attack. And when it comes to the Federal government, that rings especially true. 

The Federal government has put measures into place to help mitigate risk when working with partner organizations. In fact, these organizations are required to maintain certain cybersecurity standards and authorizations in order to do business with the Federal government.  

One of those requirements is the Federal Risk and Authorization Management Program, also known as FedRAMP. In this post, we’ll provide you with everything you need to know about the FedRAMP authorization process.   

What is FedRAMP?  

With cyberattacks and cloud-based technologies on the rise, federal departments and agencies needed a cost-efficient and risk-based approach to cloud adoption.  

This led to the creation of the Federal Risk and Authorization Management Program (FedRAMP) in 2011. FedRAMP provides a standardized approach to security assessment, authorization, and continuous monitoring specifically for cloud products and services used by federal entities that store, process, and transmit federal information.  

What is the goal of FedRAMP? 

As a government cybersecurity framework, the goal is to accelerate the adoption of secure cloud solutions through the use of assessments and authorizations. For organizations that achieve FedRAMP authorization, it’s a powerful validation of the security of the organization’s cloud solution.    

Why is FedRAMP important?  

FedRAMP increases confidence in the security of cloud solutions through continuous monitoring and consistent use of best information security practices and procedures. This streamlined, regulated approach helps mitigate the risk of cyberattacks.  

Who needs FedRAMP Authorization?  

Federal agencies that host their technology in the cloud are required to use a FedRAMP certified Cloud Service Provider (CSP). If you are looking to do business with the government and host federal systems, then FedRAMP applies to your environment, and you will need authorization.  

What are the key benefits of FedRAMP Authorization? 

Becoming authorized offers CSPs many benefits, including: 

• Improved real-time security visibility 
• A uniform approach to risk-based management 
• Significant savings on cost, time and resources by de-duplicating efforts related to meeting federal cybersecurity requirements 
• Increased re-use of existing security assessments across agencies  
• Enhanced transparency between government and CSPs  
• Improved trustworthiness, reliability, consistency and quality of the Federal security authorization process  

Does FedRAMP apply to global organizations? 

Yes. Many global organizations are seeking to secure new business deals to strengthen their customer base. If international businesses want to sell a cloud service offering to the U.S. government, they should pursue FedRAMP authorized status.  

Why is FedRAMP Certification valuable to cloud service providers (CSPs)? 

Federal cloud spending has seen a rise in recent years. In fact, analysis from Deltek found that federal cloud spending reached nearly $11 billion in FY 2021, up more than 40% from the $7.6 billion spent in 2019. CSPs looking to capitalize on this trend should seek to achieve FedRAMP Authorized status.   

FedRAMP can also be reused to sell to multiple agencies. In fact, if you already have authorization, it can simplify the certification process for other federal and defense programs, like the DoD’s Cloud Computing Security Requirements Guide (CC SRG)   

Who can perform a FedRAMP assessment?  

Only accredited FedRAMP Third Party Assessment Organizations (3PAO) may perform FedRAMP assessments. 

How do I get FedRAMP certified? 

FedRAMP is an integrative standardized assessment designed to be a common one-stop-shop for CSPs seeking to do business with the U.S. government.  

There are two paths CSPs can take to achieve authorization:  

1. Through an agency sponsorship when a government entity vouches for a CSP, streamlining their approval process.   

2. Through the Joint Authorization Board (JAB). The JAB is the primary governance and decision-making body for FedRAMP.   

Although organizations are able to choose which process they’d prefer to take, most organizations choose to achieve certification via agency sponsorship. This is because the JAB path is very competitive as they only select 12 systems per year (specifically, three per quarter).    

What is JAB P-ATO Status?  

The JAB is the primary governing body for FedRAMP and includes the Department of Defense (DoD), Department of Homeland Security (DHS), and General Services Administration (GSA). The JAB selects approximately 12 cloud products a year to work with for a JAB Provisional Authority to Operate (P-ATO).   

The JAB Authorization process involves:   

1. An evaluation via FedRAMP Connect  

2. Completing a FedRAMP Ready assessment  

3. Completing a full-security assessment  

4. Achieving authorization via the JAB  

5. Continuous monitoring post-authorization  

What is Agency ATO Status?  

In the Agency Authorization path, agencies may work directly with a CSP for authorization at any time. CSPs that make a business decision to work directly with an agency to pursue an ATO will work with the agency throughout the FedRAMP Certification process.   

The Agency Authorization process involves:   

1. An optional, yet highly recommended, FedRAMP Ready assessment  

2. Pre-authorization  

3. Achieving agency authorization   

4. Continuous monitoring post-authorization   

What are the key processes involved with a FedRAMP Assessment and Authorization?   

Regardless of which method (agency sponsorship vs. JAB) you choose, the authorization process always involves:   

1. A Preparation Phase, where the provider completes a System Security Plan (SSP). After this, a FedRAMP-approved third-party assessment organization (3PAO) will develop a Security Assessment Plan.  

2. A Full Security Assessment, where the assessment organization submits a Security Assessment report and the provider creates a Plan of Action & Milestones PoAM). The security assessment involves evaluating a company’s policies and procedures against a set of requirements from the NIST 800-53 controls to test security authorizations. Once granted, continuous assessment and authorization guidelines must be in place to uphold authorization.  

3. Authorization, where the JAB/authorizing agency determines whether the risk as described is acceptable. If confirmed, they submit an ATO letter to the FedRAMP project management office. The provider is then listed in the FedRAMP Marketplace.  

4. Continuous Monitoring, where the provider sends monthly security monitoring deliverables to each organization using the service.  

  

What’s the timeline of a FedRAMP Assessment? 

Step 0: It’s recommended you complete a gap assessment to address any holes in your environment. This ensures a CSP is ready for the FedRAMP authorization assessment to be submitted for FedRAMP Authorized status.  

Step 1. Pre-Assessment Review (1-4 Weeks)  

Step 2. Planning Activities (4 Weeks)  

Step 3. Assessment Activities (7 weeks)  

Step 4. Reporting Activities (5 weeks)  

Step 5. Sponsor Issues Authority to Operate (2-3 weeks)  and listed in the FedRAMP Marketplace

Step 6. Maintain Authorization  

How long is FedRAMP valid? 

A FedRAMP Ready designation is only valid on the Marketplace for twelve months. 

What are the impact levels of FedRAMP compliance? 

Low Impact SaaS (FedRAMP Tailored or Ll-SaaS): Ll-SaaS is a subset of low impact and typically includes 50+ of the controls to be independently assessed. This baseline accounts for SaaS apps that do not store personal identifiable information beyond basic log-in information, like usernames and passwords. Organizations that achieve the LI-SaaS level would experience minor adverse effects should a loss of confidential information occur. Information about the security controls required for this designation can be found here.  

Low Impact Level: Low includes about 125 controls. Organizations that achieve the low authorization status would experience limited adverse effects if a loss of confidential information occur.

Moderate Impact Level: Moderate includes about 325 controls and the vast majority of organizations fall into this category. The loss of confidential information in this category would have a serious impact on an organization.

High Impact Level: High includes approximately 425 cybersecurity controls and mainly includes organizations that work in law enforcement and emergency services systems, financial systems, and health systems. Organizations should especially pursue High impact if any loss of confidential information could be expected to have a catastrophic impact.

Please note, the number of controls for each impact level are currently based on NIST 800-53 revision 4 and will change with the transition to revision 5. The transition plan and associated templates and guidance is expected to release by end of 2022. 

For more information about the security controls required for each designation, click here.

FedRAMP vs. FISMA/NIST RMF 

Prior to FedRAMP, the U.S. government introduced the Federal Information Security Modernization Act of 2014, or FISMA. 

FISMA is the law directing government agencies to develop and maintain an information security program. FedRAMP is a cloud-specific implementation of NIST RMF. Even though FISMA and FedRAMP use the same standard, utilizing the same controls set within NIST 800-53, the two have different authorization processes.   

In order to bring together all of the FISMA-related security standards, NIST created the Risk Management Framework. Whereas FISMA establishes the requirements of an agency’s cybersecurity program, RMF helps determine how that program should review, assess, and approve IT systems for use.     

What’s the difference between FedRAMP and StateRAMP? 

StateRAMP can be thought of as FedRAMP compliance for state and local governments, and it has a Security Assessment Framework that is based on the National Institute of Standards and Technology Risk Management Framework (NIST RMF).   

StateRAMP offers a fast track to authorization for current FedRAMP authorized services.  

Is continuous monitoring needed for FedRAMP? 

Yes. Monthly updates (scans and POA&Ms) to the Agency Sponsor or JAB (based on authorization pathway) are important to ensure your organization has maintained compliance with FedRAMP. Annual assessments that include penetration testing, select control assessment, system scanning, and more are critical to your continued compliance standing.  

If your organization has experienced any significant changes that will impact your compliance standing, you’ll need your agency or JAB to review and assess through a Significant Change Request Assessment. 

What are FedRAMP key terms? 

Check out our FedRAMP compliance glossary of terms to learn the definitions for Third Party Assessment Organizations (3PAO), authority to operate (ATO), cloud service provider (CSP), Federal Information Security Modernization Act (FISMA), joint authorization board (JAB), National Institute of Standards and Technology (NIST) and more.  

What are the common challenges of FedRAMP authorization?  

• CSPs Might Not Know Authorization Is a Detailed Process: FedRAMP security standards are more prescriptive than general security assessment and requires granular detail.  
• CSPs Might Overlook the Benefits of Control Inheritance: Inheriting as many security controls as possible from your CSP organization’s underlying FedRAMP authorized infrastructure provider will save time and resources. 
• Organizations Underestimate the Power of Automation: Compliance automation software can help automate and streamline your authorization process. 

What’s new with FedRAMP?  

The FedRAMP Rev 5 Baselines: The final Rev 5 baselines and transition plan to Rev 5 are expected in early 2023. The biggest difference between the Rev 4 and Rev 5 baselines is that FedRAMP has introduced a threat-based methodology to determine which controls should be added on to the established NIST 800-53 Rev 5 baselines.  

The Updated Readiness Assessment Report (RAR): A RAR is what CSPs use to determine if they are ready to undergo the extensive FedRAMP certification process. In a thorough 19-page document, FedRAMP provided updated guidance as well as  templates for 3PAOs evaluating CSPs for readiness.  

Helpful FedRAMP Resources 

Beginning the Authorization Process   

FedRAMP can help organizations win more business and stand out from their competition, but the approval process is detailed.   

As a CSP, you must implement the appropriate controls before you can begin the FedRAMP certification process. Whether you seek authorization via an agency or through the JAB, it is important to ensure you have a trusted resource to help guide you through the process.   

A-LIGN is a top accredited FedRAMP 3PAO, having helped organizations worldwide achieve full authorization.   

If you are a CSP currently providing, or seeking to provide, services to federal agencies, speak to an expert at A-LIGN about the FedRAMP authorization process.  

At a time when cyber-attacks are occurring at unprecedented rates, maintaining information security is paramount. Organizations can demonstrate their commitment to data security by undergoing a SOC 2 audit, which assesses the controls designed to protect an organization’s system or services. There are two types of SOC 2 audits: Type 1 and Type 2. Many organizations elect to start with a Type 1 audit, and later move to a Type 2.  

In this article, we explore the two types of SOC 2 audits, the process of moving from a SOC 2 Type 1 audit to a Type 2, and the value they each bring.  

SOC 2: Type 1 and Type 2 

Any SOC 2 audit will evaluate your internal security management system based on one or more of the following five categories: Security (required), Availability, Processing Integrity, Confidentiality, and Privacy. The difference between a Type 1 and Type 2 audit is largely (but not entirely) based on time. 

• Type 1: This assessment evaluates the design of internal security controls at a single point in time – perhaps on a specific date: February 1.  
• Type 2: This assessment evaluates the design and effectiveness of internal security controls over a duration of time – perhaps a 12-month period starting on February 1.   

A Type 2 audit is more comprehensive because it seeks to examine not just the design of security controls, but how the controls work on a daily basis. A Type 2 report is more robust than a Type 1 report as it covers a span of time and tests an array of samples across the different high-risk areas.  

So why might an organization that has undergone a Type 1 decide later to undergo a Type 2?  

The Process of Moving from a SOC 2 Type 1 to a Type 2 

Even if your organization previously completed a Type 1 audit, you should expect to invest additional time and resources into the process of completing a SOC 2 Type 2. The biggest difference in moving to a Type 2 is the quantity of sample evidence that is requested, as a Type 1 report only looks at one sample.  

The first step in the SOC 2 Type 2 audit process is to determine the length of the review period. Type 2 audits typically cover a one-year period, but can vary based on contractual requirements between an organization and its clients. Once the review period has been determined, the organization and its auditor will have walkthrough meetings (similar to a Type 1 audit) to understand the security processes and procedures that have been put in place.  

Each auditing firm has a sampling methodology that is used and is driven by AICPA (American Institute of Certified Public Accountants) guidance. Expect your auditor to request multiple samples, and for them to review various population pulls within the designated time period. Samples might be pulled from an annual, quarterly, monthly, or daily basis, depending on the frequency and nature (manual vs automated) of the controls being tested. 

Moving from a Type 1 to a SOC 2 Type 2 

While a SOC 2 Type 1 audit signals to partners and clients (both current and prospective) that you take information security seriously, there are instances where it would be beneficial to pursue a Type 2. These include: 

• Contractual obligations – A customer might request that your company obtain a Type 2 report and might even define the length of the review period (six months, nine months, a year, etc.). 
• To develop rapport with clients – Business is built on trust and moving to a Type 2 helps give assurance to your clients that their information is in good hands.  
• To build brand recognition/competitive advantage – Undergoing a Type 2 audit is more time-intensive than a Type 1, and so completing the assessment demonstrates your company’s dedication to security. This can set your business apart from competitors.  

What is the Value of Moving from a SOC 2 Type 1 to a SOC 2 Type 2? 

While a SOC 2 Type 1 report confers benefits to organizations by demonstrating their commitment to information security, a SOC 2 Type 2 report has even greater value. This report shows that an organization has not only designed controls, but they were operating effectively through the determined review period. It can therefore be concluded that the organization is capable of maintaining information security.  

Value can also be gained through building an environment that is focused on streamlining regulatory compliance efforts. Organizations that only undergo a Type 1 audit are likely to maintain defined controls once a year. But when going through a Type 2 audit, the organization must monitor and maintain controls throughout the full year. This helps in streamlining and reinforcing policies and procedures among team members on an ongoing basis.  

Thinking about moving from a SOC 2 Type 1 to a Type 2? A-LIGN can help you navigate the process. We’re more than an auditor. We’re a partner that has completed over 5,000 SOC 2 reports and the top SOC 2 issuer in the world. Contact us to get started on your SOC 2 Type 2 journey.

Data breaches and ransomware attacks continue to dominate the news cycle. To protect data, and position themselves favorably among prospects and customers, companies need to demonstrate a commitment to cybersecurity.  

Enter, SOC 2 (Service Organization Control 2), a popular audit that attests to a company’s ability to protect data and information. It’s a strong validator for any company looking to demonstrate its commitment to cybersecurity to partners and customers.  

Pursuing a SOC 2 audit is a multi-step process, which can seem confusing at first glance given the fact that there are vendors that provide compliance software, and other vendors who are themselves certified SOC 2 auditors.  

This blog will clarify the SOC 2 audit process, as well as explain the role of SOC 2 auditors and compliance software. 

When and How to Use SOC 2 Software Tools 

There are multiple steps to completing a SOC 2 audit. Many companies start with a readiness/gap assessment, which is the process of reviewing existing controls in place and identifying those that need to be improved or implemented. This process can be executed via an audit consultant, or through specialized software tools that help simplify this process (like A-SCEND). 

Compliance software tools typically provide automated workflows and compliance templates, comparing your existing controls against the controls within a selected compliance framework — which, in this case, would be the SOC 2 framework.  

Typically, this software allows you to visualize progress toward compliance goals, assign tasks related to evidence collection or policy updates, and collaborate all in one dashboard. Software tools provide a simple way to understand the framework requirements, assess them against your existing policies and procedures, and manage the process of updating policies. While these tools help to better prepare for an audit and streamline the assessment process, an experienced auditor is still a critical component of compliance. 

When and How to Use SOC 2 Auditors 

Software tools can only take you so far with SOC 2. They can help prepare a company for a SOC 2 audit, but not complete the audit itself. When the actual audit takes place, companies must turn to a SOC auditor. 

SOC 2 audits are regulated by the American Institute of Certified Public Accountants (AICPA) and must be completed by an external auditor from a licensed CPA firm. This is the only way a company can receive an official SOC 2 report, whether it’s a Type 1 or Type 2 report. 

An official SOC 2 report is valid for one year following the date the report was issued. Future annual audits must also be completed by an external auditor from a licensed CPA firm. 

Working with SOC 2 Service Providers  

A-LIGN is a SOC 2 audit provider that offers multiple benefits for organizations seeking to complete a SOC 2 audit: 

• A-LIGN is a licensed CPA firm that can issue a SOC 2 report. In fact, we are the top issuer of SOC 2 reports in the world. 
• With deep experience and expertise, A-LIGN also created A-SCEND, a modern SaaS platform for streamlining compliance and management activities. 

If your organization plans to use software to prepare for an audit, it’s helpful to work with a software partner who can also conduct the official audit (as a certified CPA) because it provides an added layer of convenience throughout the SOC 2 process and results in a reputable report.  

Organizations need to go beyond the data collection by their compliance software tool and conduct further due diligence, such as observations and walkthroughs (conversations) between the audit team and the client. SOC 2 auditors may also find that they need additional data or evidence necessary to validate the design and operating effectiveness of a complete control set. When you use the same company for a technology-enabled audit, and a SOC 2 report, the software is designed to request all audit materials needed, including manually operated controls and supporting evidence. In this convenient scenario, you can save time, resources, and money.  

All-in-One SOC 2 Services with A-LIGN 

A-LIGN provides an all-in-one solution for SOC 2. The A-SCEND platform can streamline the audit preparation process by centralizing evidence collection and simplifying the SOC 2 readiness assessment. To make life easier, it’s an “auditor-assisted” process with real experts standing by to help navigate you through your SOC 2 journey. Leveraging the A-SCEND platform sets you up for success when it comes time to completing the actual report with A-LIGN’s certified SOC 2 auditors.  

Even better, A-SCEND is not limited to SOC 2. You can trust it to help achieve compliance across multiple security frameworks including SOC 1, HIPAA, PCI DSS and more.