This blog post is a recap of our Demystifying FedRAMP webinar, hosted alongside our partners at Anitian. View the full webinar recording here. 

FedRAMP (The Federal Risk Authorization Management Program) was established in 2011 as a way to accelerate the adoption of cloud solutions, and increase confidence in the security of those cloud solutions, across the Federal government. 

FedRAMP is an authorization program versus a certification program, meaning that businesses go through a rigorous security review process and are then granted an Authority to Operate (ATO) and listed in the FedRAMP Marketplace. The Marketplace is a comprehensive list of cloud products and services that are approved to work with federal agencies.

Prior to undergoing the FedRAMP authorization process, there are a few key things that organizations should keep in mind to prepare for FedRAMP success.

1. Executive Buy-in and Cooperation is Key 

Federal agencies spent nearly $11 billion on the cloud in FY 2021, which spells huge opportunities for cloud service providers. But the journey to FedRAMP authorization is long. It involves many evidence requests, as well as lots of writing-heavy work to document policies and procedures. Before undertaking all of this work, it’s essential to get executive buy-in on the importance of FedRAMP authorization. Which, despite the monetary opportunities present in the federal market, isn’t always easy. 

In our extensive experience helping organizations earn FedRAMP authorization, we’ve seen many expensive and time-consuming delays stem from misalignment over priorities within the overall corporate environment. This misalignment makes a long process even longer and will only cause your organization to miss out on opportunities to expand within the government sector. 

2. Consider Automated Solutions 

If management is hesitant to give buy-in on FedRAMP because of the numerous evidence requests and documentation requirements, consider a software solution that can automate and streamline tedious tasks and make the process significantly easier. 

Anitian’s SecureCloud for Compliance Automation platform and A-LIGN’s audit automation and compliance management software, A-SCEND, helps to streamline compliance process. SecureCloud automates the documentation process with template libraries and reference architectures, as well as track progress toward FedRAMP authorization to help teams stay on track. A-SCEND centralizes evidence collection, standardizes compliance requests across multiple security frameworks, consolidates audits, and more.  

With automated software solutions, organizations also benefit from a “enter once, populate everywhere” system, removing the need to upload the same documents and information to multiple places during the FedRAMP preparation and evidence gathering phase. This is hugely beneficial, as there are hundreds of pieces of evidence that must be reviewed in a typical FedRAMP authorization.   

Both tools are also auditor-assisted, with real humans who can answer any questions you have and help you use the tools to their full potential.  

3. Don’t Overlook the Benefits of Control Inheritance 

Control inheritance is extremely useful on the road to FedRAMP authorization. Essentially, control inheritance is when your business automatically inherits certain security controls from an underlying infrastructure provider that is already FedRAMP authorized. A great example would be hosting your product on top of AWS or Azure Government — both of which are already FedRAMP certified.  

If FedRAMP authorization is in your future, make sure to consider the benefits of control inheritance.  

Get Started With A-LIGN 

The experts at A-LIGN can assist you every step of the way toward FedRAMP authorization. We can help with implementing appropriate controls, completing a FedRAMP Readiness Assessment Report (RAR), and ensuring you meet FedRAMP requirements by using Federal Information Process Standard (FIPS) Models for low, moderate, or high-impact organizations. 

In 2021, we saw cyberattacks and ransomware increase with vengeance and 2022 has proven to be even more challenging.  

In our 2022 Compliance Benchmark Report, we surveyed more than 700 cybersecurity, IT, quality assurance, internal audit, finance, and other professionals about their compliance programs to gain a better understanding of their organization’s position when it comes to compliance, including strengths, weaknesses, and opportunities. 

Here’s how organizations across industries are responding to increased threats and best preparing.

Ransomware Is at an All-time High 

A third-party assessment firm like A-LIGN can help you discover where your cybersecurity posture currently stands. Our one-of-a-kind Ransomware Preparedness Assessment reviews your risk, security preparedness, and the strength of your existing controls, helping you determine if your planned response to a security event is acceptable. 

Zero trust is an idea that has been gaining traction in the world of cybersecurity over the past few years. It is a key component of President Biden’s Executive Order (EO) on Improving the Nation’s Cybersecurity (issued in May 2021) and it is a trend that Gartner has been tracking closely. The analyst firm predicts that spending on zero trust solutions will grow from $820 million this year to $1.674 billion by 2025. 

But what is zero trust? And, what makes it an effective solution to mitigate cybersecurity threats? Zero trust is an IT security model that focuses on restricting information access within an organization to only those who need it. The premise of zero trust is to assume that threat actors are present both inside and outside an organization — therefore no users or machines are trusted by default.  

In our 2022 Compliance Benchmark Report, we surveyed more than 700 cybersecurity, IT, quality assurance, internal audit, finance, and other professionals about their compliance programs. Here’s what we learned about how organizations are thinking about zero trust strategies.  

Zero Trust Priorities Vary Between Industries 

While over half of our survey respondents (58%) agree or strongly agree that zero trust is a strategy they must implement in the next 12 months, 29% said they are not sure what they think about its level of importance.  

Priorities vary between industries, with IT services (68%), manufacturing (65%), and technology (64%) companies providing the highest amount of agree/strongly agree answers. On the other end of the spectrum, finance (49%) and professional services (47%) had the lowest amount of agree/strongly agree responses. 

It’s important to note that public sector organizations who hope to do business with the federal government — regardless of their industry — must prioritize zero trust as mandated by the EO previously mentioned. As we approach one full year since that EO has been in place, we’ll likely see more industries prioritize zero trust in the year to come. 

Larger Companies Are Quicker to Adopt Zero Trust 

Responses also varied by company size. Our survey found that 73% of organizations with $50M – $1B in annual revenue agree/strongly agree about the need to adopt a zero-trust security strategy. For companies with less than $5M in revenue, that percentage dropped significantly to 45%. These numbers indicate that larger companies believe they are a top target for cybersecurity attacks and are taking the initiative to plan ahead and protect systems and information.  

Other Cybersecurity Initiatives Remain Top of Mind 

Despite lower adoption of zero trust strategies among certain industries and smaller companies, many organizations across industries still noted they would complete other cybersecurity initiatives to mitigate threats. Vulnerability scans were the most popular initiative, noted as a priority by 52% of our survey respondents, followed by penetration tests (48%) and creating business continuity and disaster recovery (BCDR) plans (42%).  

Interestingly ISO 22301 certifications — a renowned standard for BCDR planning — were a particularly high priority for IT services organizations and manufacturing companies.  

A Strategic Approach to Implementing a Zero-Trust Architecture 

Implementing a zero-trust architecture within any organization can feel like a daunting feat without the right preparation. To make this process more manageable, the experts at A-LIGN recommend a step-by-step approach.  

Before you get started, it’s important to troubleshoot possible scenarios that may occur during the implementation process. From there, plan and implement zero trust in ‘zones’ throughout your organization’s infrastructure whenever possible. This strategy will allow you to keep key business operations up and running while mitigating the chance of downtime across too many areas of your business all at once.  

With federal cloud spending at an all-time high, the government sector has become a lucrative market for technology companies. Analysis from Deltek indicates that federal agencies spent nearly $11 billion on the cloud in FY 2021, up more than 40% from the $7.6 billion spent in 2019.  

Cloud service providers (CSPs), in particular, have a significant opportunity to capitalize on this meteoric rise in federal cloud adoption. However, in order to do business with the U.S. government, such companies must achieve Authorization to Operate (ATO) status under the Federal Risk and Authorization Management Program, also known as FedRAMP.  

In the article below, you will learn:

  • Why the U.S. government is prioritizing cloud technologies  
  • The current trajectory of federal cloud spending  
  • How your business can use FedRAMP to capitalize on this trend  

The Cloud Smart Strategy (Formerly Cloud First Strategy)  

A 2017 Executive Order (EO), Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure, was a major catalyst in accelerating the federal agency adoption of cloud-based solutions. It declared that agencies must “show preference in their procurement for shared IT services, to the extent permitted by law, including email, cloud, and cybersecurity services.” 

As a result, the U.S. government officially updated its Federal Cloud Computing Strategy from “Cloud First” to “Cloud Smart” in June 2019. The Cloud First strategy was more conceptual in nature and left many implementation questions unanswered. Cloud Smart, on the other hand, was designed to provide practical guidance to help agencies enhance the speed, security, and cost savings of their IT programs. A significant amount of this guidance focuses on brokering business relationships with CSPs based on the value their cloud technology provides.   

More recently, the 2021 Executive Order on Improving the Nation’s Cybersecurity mandated that the head of each government agency “update existing agency plans to prioritize resources for the adoption and use of cloud technology.” This demonstrated that the U.S. Government remains dedicated to realizing the long-term mission of Cloud Smart.  

Record-high Spending Across the Federal Cloud Market  

Government agencies are currently experiencing broader, more intense pressure to adopt cloud-based solutions than ever before. But are they acting accordingly to fulfill the promise of Cloud Smart? 

If you look at federal cloud spending data from the past few years, the answer is a resounding “yes.” As mentioned above, agencies spent an impressive $11 billion in FY 2021, outpacing several different projections from mid-2021 by an order of magnitude and suggesting that the market is growing even faster than many anticipated.  

What’s more, the total value of cloud contracts awarded by federal agencies in FY 2021 was a staggering $23.3 billion, indicating that the government is committing to long-term relationships with CSPs, offering high-value solutions for their IT needs.  

Even in the face of a looming recession, federal spending on technology has remained steady, and cloud remains a top priority that is firmly locked in the upper percentile of all federal contract spending.  

Using FedRAMP to Capitalize on the Federal Cloud Boom   

It has become abundantly clear agencies are steering their considerable purchasing power toward the adoption of cloud technologies. To streamline and standardize the security and procurement elements of the Cloud Smart strategy, the government is using FedRAMP.  

In order to do business with government agencies, CSPs must demonstrate their ability to meet federal security requirements through FedRAMP assessment, authorization, and continuous monitoring. The program resulted in a robust marketplace of vetted CSPs for agencies to choose from when evaluating their technology needs and advancing their cloud maturity.  

It’s also worth noting that the FedRAMP program continues to put a great deal of effort into making the authorization process more accessible to CSPs of all shapes and sizes. In 2018, six years into the program, there were 100 authorized products. In just a few years, that number has more than doubled to 260+ authorized products and counting.   

Best of all, agencies have a great deal of trust in the security of FedRAMP-authorized cloud solutions and are leaning heavily on vendors from the FedRAMP marketplace. According to FedScoop’s recent Federal Perceptions of Cloud Security report, federal IT leaders believe FedRAMP is the number one way to maintain security control over their agency’s strategic data, above on-prem data centers and hybrid/commercial cloud environments.  

Three Reasons CSPs Should Invest in FedRAMP Now  

Are you a CSP considering doing business with the government? Here are four reasons you should get started on FedRAMP compliance ASAP.  

The Ability to Sell to the Federal Government  

FedRAMP is mandatory for all cloud services used by government agencies. Achieving authorization will allow you to tap into the booming federal cloud market. 

Meet Multiple Government Agencies Requirements 

A FedRAMP security authorization can be reused across multiple agencies: FY 2021 saw a 45% increase in the amount of FedRAMP-authorized security packages reused by agencies, indicating that the “certify once, use many” vision of the program has become a reality.   

Differentiate with a Valuable Marketing and Sales Tool  

FedRAMP is recognized as the pinnacle of cloud security certifications, which means it can be a valuable cybersecurity proof point when you are selling to the private sector, too. A news search of “FedRAMP authorization” yields countless press releases illustrating the pride CSPs take in this compliance achievement.  

Achieve FedRAMP Authorization from a Top Assessor  

For CSPs, there is no better time to earn FedRAMP authorization than right now. The federal cloud market is soaring with no signs of slowing down, as many agencies are still in the early stages of their cloud maturity journey.  

As one of the top five FedRAMP assessors in the world, A-LIGN can help with any of your needs including advisory services or an official assessment paired with continuous monitoring.  

Have a follow up question or would like to learn more about undergoing a FedRAMP assessment with A-LIGN? Reach out to one of our experienced FedRAMP specialists.  

A-LIGN’s Compliance Crosswalk podcast features discussions at the intersection of security, privacy, compliance, and risk management. On our fourth episode, hosts Blaise Wabo, Healthcare and Financial Services Knowledge Leader, Arti Lalwani, Risk Management and Privacy Knowledge Leader, and Patrick Sullivan, Vice President of Customer Success, share their thoughts and insights on A-LIGN’s 2022 Compliance Benchmark Report.   

What is the 2022 Compliance Benchmark Report? 

Our 2022 Compliance Benchmark Report offers insights into how your organization’s cybersecurity and compliance efforts stack up against other organizations across various industries.  

We surveyed more than 700 cybersecurity, IT, quality assurance, internal audit,  

finance, and other professionals about their compliance programs with the goal of gaining a better understanding of their organization’s position when it comes to compliance, including strengths, weaknesses, and opportunities. 

What’s Changed in the 2022 Report? 

There are common themes between the 2021 and 2022 Benchmark reports, including the fact that cybersecurity and compliance remain a top priority for organization’s across industries. Compliance is still a driver for winning new business and maintaining relationships with existing customers. Therefore, obtaining (and maintaining) certain certifications is still a major motivator for growing organizations.   

However, there are noticeable differences between the reports as well. In 2021, 25% of those surveyed were using some sort of compliance software to either drive or to complete compliance assessments. But in 2022, we see close to 75% of organizations utilizing compliance software and platforms. 

Patrick Sullivan speculates that this big jump can be attributed to organizations recognizing how important cybersecurity is and how urgently they need to act on minimizing threat levels. Even with the Great Resignation forcing personnel shifts, many organizations still devoted more of their resources to developing stronger business continuity plans to prepare for disasters or security incidents.  

The Rise of Audit Fatigue 

With so many third-party assessments offered and frameworks and regulations to follow, the experts at A-LIGN caution compliance experts to avoid “audit fatigue.”  

Too many organizations view audits as a catch-all, building strategies around the audits they complete instead of the other way around. Before registering for assessments, organizations should take a step back and look at their compliance and security frameworks as a whole. Build a compliance strategy first, then pursue audits that meet the needs of that strategy. 

“It’s possible to solve all of your problems but not have the solution you want,” Patrick explains, which is why organizations should determine what frameworks they actually need to follow before proactively pursuing them.  

Cybersecurity Concerns in 2023  

It’s not too early to start making predictions about which trends will become more prominent in the next year.  

The 2022 Benchmark Report found the Health Insurance Portability and Accountability Act of 1996 (HIPAA) to be one of the top three compliance services organizations are looking to lean more into in the following year.  

HIPAA’s rise in popularity is a sign of the times. Following the height of the COVID-19 pandemic in 2020, the telehealth market saw a rapid rise in popularity. Organizations expanded services and brought on many third-party vendors, which unfortunately surfaced vulnerabilities and led to an increase in healthcare-related cyberthreats. 

Blaise notes the value of healthcare data as a major driver for targeted attacks. He speculates that most of the hackers nowadays are not just looking for the money but are also looking for data that has real value—and there’s no better way to do that than infiltrating healthcare systems. In fact, the value of one health record on the black market is anywhere from $650 to $2,000 per record. 

Beyond the healthcare industry, ransomware attacks are poised to become a more commonplace issue into 2023 and beyond. We’re predicting a rise in Ransomware as a Service — a practice where bad actors package ransomware into a kit. They can then sell this kit to a less sophisticated bad actor, granting that entity access to all of the tools needed to attack an organization’s network.  

How Organizations can Start Preparing Now   

While it’s hard to predict what exactly the future holds, perhaps the most important thing organizations can do is find a trusted partner to help address their cybersecurity concerns.  

“Finding a trusted partner is definitely key,” says Blaise. Both compliance and cybersecurity require certain protocols for certain types of information, and for some, this can be a sensitive topic to broach. People should feel comfortable discussing their organization’s weak points with their security provider, and establishing a strong relationship before a cyberattack occurs. 

Join Blaise Wabo and Arti Lalwani for episode five of the Compliance Crosswalk podcast, available in July.

As security tools get more innovative, so do the threat actors aiming to compromise your systems.  

Many of these bad actors have taken to recycling existing malware variants, even if it’s only making minor tweaks to make the attacks slightly different. Cybercriminals aren’t always reinventing the wheel — but it only takes the smallest of changes for a once-preventable variant to suddenly slide past your systems undetected.  

It’s important for organizations to take a proactive approach to their cybersecurity. Preventative measures like penetration tests can determine how IT systems would hold up in a real-world attack scenario, which is quite valuable given the current global threat environment. 

What Is a Penetration Test?  

Penetration tests (pen tests) are simulated cyberattacks designed to assess the cybersecurity of your organizational technologies and systems. Composed of multiple steps, this process:  

  • Tests your organization’s information security of both technologies and systems   
  • Identifies vulnerabilities in your cybersecurity posture before threat actors do  
  • Helps your organization remediate security and compliance gaps  

Pen tests are performed by ethical hackers, meaning the tests involve carrying out attacks on real systems and data using the same tools and techniques an actual attacker would. However, the information collected is not sold to malicious third-party groups, and the organization is not placed in actual danger.  

Why a Pen Test Is Needed 

As data breaches continue to dramatically increase in both depth and complexity, organizations have bolstered their lines of technological defense. But with the numerous variants of malware comes the possibility of a security incident.   

A penetration test is the best way to see if a threat actor can take advantage of any exploitable vulnerabilities. These new malware variants attempt to evade detection from common vulnerability scans. While the variants fail the majority of the time, this might not always be the case.  

With 560,000 new pieces of malware  being detected every day and four companies falling victim to ransomware attacks every minute, it is easy to see how a variant can slip through the cracks. Pen testing is a good way to ensure your incident response team can minimize the amount of damage done.  

A penetration test is a good way to test an organization’s incident response team, as they can determine where lapses in protection hide without putting any sensitive information in harm’s way.  

When It Comes to Pen Testing, Focus on the Big Picture  

It is critical to know where all of the weaknesses lie in an organization’s tech stack.  

However, some may only associate these fragile points with already-discovered vulnerabilities. Organizations need to look at the bigger picture when examining their defense systems and determining risk.  

System vulnerabilities can show a lack of process, a lack of knowledge, and a lack of planning within an organization.  

For example, a penetration test can reveal deficiencies related to how a company keeps its servers updated or how they apply patches. It can also show everything from a lack of logging and monitoring to the lapses of protection if an event were to happen.  

This is why it’s so important to start with a solid security framework — such as one from NIST — when deploying a network. This makes it easier to establish strong cybersecurity controls while also helping to manage and reduce cybersecurity risk. 

As for the networks that have already deployed, you can compare its current state to already-existing frameworks to determine where gaps may hide. 

Pen Testing Can Play a Role in Preventing Cyberwarfare  

Even before the Russian/Ukrainian war, Ukrainian organizations have frequently found themselves victims of cyberattacks, from phishing campaigns to malware variants.  

Earlier this year, the country narrowly avoided a serious cyberattack on their nation’s power grid. Hackers used malicious software to target one of Ukraine’s largest energy companies, trying to shut down substations. If successful, this would have caused blackouts for two million people. 

Fortunately, cybersecurity companies were able to identify and neutralize the software before the attack could do any damage, but this isn’t always the case. 

Government-targeted cyberattacks are on the rise in the United States as well. In 2020, 68% of states saw at least one of their municipalities fall victim to attack, many of them instigated by nation state actors. 

Routine pen tests (at minimum once a year) can reassure both governments and private organizations that their current safety protocols are up to date. But, for real-world protection, conducting pen tests more often will help to better protect your organization.  

Become More Proactive About You Cybersecurity Today 

When it comes to keeping your networks secure, it’s not a matter of if a cyberattack will occur, but when.  

There’s no way of predicting when these attacks will take place, but if a security incident should happen, it’s important to have already solidified how your organization will respond. Tools like pen testing can help teams create strategies to avoid a potential disaster.  

For an extra layer of protection, organizations should consider adding a vulnerability scan to their penetration tests as well. Vulnerability scans check an organization’s network and systems for any known vulnerabilities against a database of vulnerability information. Paired alongside pen tests, organizations can more effectively enhance their security posture by taking a truly proactive approach to cybersecurity. 

A-LIGN’s OSEE, OSCE, and OSCP Certified Penetration Testers will use the latest cybersecurity tactics to ensure your organization’s critical data is protected. 

Is your organization prepared to face a cyberattack? Our Ransomware Preparedness Assessment can help you find out.  

For many businesses, the biggest challenge in obtaining a HITRUST CSF certification is having to establish policies and procedures that satisfy the HITRUST criteria, which is a requirement for the r2 Assessment. Note that policies and procedures are still required in an i1 Assessment, but without the rigorousness of the r2 Assessment as described in this blog.

While organizations focus carefully on implementing each HITRUST control requirement, I also suggest they pay close attention to their policies and procedures. Prioritizing strong HITRUST policies and procedures is crucial to passing the audit and earning a HITRUST certification.

It’s also best to create and document policies and procedures for the HITRUST CSF sooner rather than later, as they must be in place for at least 60 days prior to the audit carried out by an external assessor.

Read on to learn more about HITRUST policies and procedures, the minimum requirements for documentation, and what to do if you don’t have sufficient resources to handle such an initiative.

Understanding HITRUST Policies and Procedures

A big reason why companies often treat HITRUST policies and procedures as an afterthought is that they have existing documentation mapped to another standard (such as SOC 2 or ISO 27001) and assume they can carry over to cover HITRUST requirements. This is not the case — in fact, most of the time, an organization will have to completely rewrite their policies and procedures in order to meet HITRUST requirements.

Here are the key points to know about HITRUST policies and procedures.

What are HITRUST policies?

HITRUST policies are the rules an organization and its employees must follow in order to achieve a specific goal. According to the most recent HITRUST Assurance Advisory (2021-014), “A documented policy must specify the mandatory nature of the control requirement in a written format which could reside in a document identified as a policy, standard, directive, handbook, etc.”

HITRUST policies should contain statements from management describing how your organization plans to adhere to each HITRUST control requirement. For example, “Acme Corporation will keep up a vulnerability management program that proactively identifies and detects information security vulnerabilities, so that the business may…” (ending with the goal the company aims to achieve through vulnerability management).

What are HITRUST procedures?

HITRUST procedures provide an explanation of the “how” behind HITRUST policy implementation by describing step-by-step instructions for specific routine tasks. As per the latest HITRUST Assurance Advisory, “A documented procedure must address the operational aspects of how to perform the requirement. The procedure should be at a sufficient level of detail to enable a knowledgeable and qualified individual to perform the requirement.”

  • This means each of your procedures must give a detailed description of:
  • How the policy is being implemented
  • When each step of the procedure should be performed
  • Who is performing specific actions related to the procedure
  • Additional details on timing and accountability

HITRUST procedures should answer the “how,” and provide some details on “when,” and “who” where applicable behind each policy. For example, the official Vulnerability Management Procedure for Acme Corporation would provide a comprehensive account of its scope and goals, key responsibilities assigned to specific roles and departments, descriptions of various security assessments involved in the program, a schedule delineating the frequency of audits, and more.

What HITRUST Policies and Procedures Does My Organization Need to Document?

Because the HITRUST CSF is a flexible and scalable security framework that is tailored to the compliance needs of each organization, the exact policies and procedures required will depend on the scope of your assessment.

That being said, at a minimum you must have policies and procedures in place that address the 19 HITRUST control domains. Your organization must receive a maturity score of at least “3” (on a maturity level scale from 1-5) for each control domain in order to earn HITRUST r2 certification. Having strong policies and procedures in place and effectively implemented make up the baseline of HITRUST compliance. The HITRUST CSF control domains are:

  • Information Protection Program
  • Endpoint Protection
  • Portable Media Security
  • Mobile Device Security
  • Wireless Security
  • Configuration Management
  • Vulnerability Management
  • Network Protection
  • Transmission Protection
  • Password Management
  • Access Control
  • Audit Logging and Monitoring
  • Education, Training, and Awareness
  • Third-Party Assurance
  • Incident Management
  • Business Continuity and Disaster Recovery
  • Risk Management
  • Physical and Environmental Security
  • Data Protection and Privacy

Again, to address the 19 HITRUST control domains, the information included in your documentation depends on the compliance needs of your business and the scope of your assessment. Scoping factors that determine your organization’s number of control requirements and therefore inform your policies and procedures include:

  • Company industry
  • Company size
  • Company location
  • Types of data handled
  • Data access and usage (including third parties)
  • How systems process, store, and transmit data

For example, a company with a HITRUST CSF assessment that covers 250 control requirements will have a different password management policy than a company with 450 control requirements. The latter organization may have a control that states employees must change their password every 90 days while the former organization may not have any such control.

Solving for a Resource Deficit When Designing HITRUST Policies and Procedures

After comprehending the structural nuances of the HITRUST CSF, it is very common for organizations to realize they simply don’t have the resources and/or budget required to create and document the necessary HITRUST policies and procedures from scratch.

If you are worried your organization does not have the proper resources in place — a trusted HITRUST advisor can help. Following a Readiness Assessment designed to pinpoint gaps in your organization’s environment, A-LIGN can provide comprehensive HITRUST Risk and Advisory Services that include any combination of:

  • Creation of policies and procedures
  • Documentation of policies and procedures
  • Gap remediation for policies and procedures
  • Implementation of nontechnical controls
  • Gap remediation for nontechnical controls (e.g., develop an incident response plan or BCDR plan, help conduct HIPAA training, etc.)

Our practiced guidance will accelerate your path toward HITRUST certification, saving both time and resources. Read the story of our partnership with Sandata Technologies that inspired the company’s Security Director, Michael Alcide, to say, “[A-LIGN’s] guidance throughout the entire [HITRUST] process was invaluable. They helped us understand the small nuances and specific requirements that are always changing.”

Take the Stress Out of HITRUST

It’s no secret that achieving HITRUST certification can be complex and, at times, confusing. Leverage industry experts who are deeply familiar with HITRUST (500+ assessments with a 100% successful certification rate) and your organization will be more efficient with assessment preparation, including documentation of the necessary policies and procedures.

Looking to expedite your path to HITRUST certification?

Download our HITRUST checklist now!

Why is it important to assess the security of your vendors?  Because your organization is only as secure as your outside resources and it’s imperative to ensure your vendors are HITRUST certified.   

Regardless of if you just started your HITRUST journey or if you’ve been certified for years, you probably ask yourself the typical questions …  “What is our security posture?”, “what controls do we have in place?”, and “what controls do we need to implement, measure, and manage, to become compliant and maintain the HITRUST CSF Certification?”.    

What is one thing all these questions have in common?  An inward focus.  Although you’re right in the fact that these questions are important to answer, by focusing inward, you’re overlooking crucial areas that could put your organization at risk- those areas handled by external service providers and vendors.    

In 2015, many large corporations in the healthcare industry, including Anthem, Health Care Services Corporation (HCSC), Highmark, Humana, UnitedHealth Group, and many more, issued a requirement for all of their downstream vendors to achieve HITRUST certification.  The purpose of this requirement was to ensure the safe handling of all sensitive information. Fast forward six years, and it’s now an industry standard for all vendors, large or small, to offer a HITRUST CSF solution.    

Let’s take a look at why it’s so important to assess your vendor’s security posture. 

What is HITRUST CSF?    

The HITRUST CSF is a robust and scalable framework for managing regulatory compliance and risk management of organizations and their business associates. Originally designed specifically for the healthcare industry, the HITRUST framework has found success across multiple industries thanks to it unifying regulatory requirements and recognized frameworks including, but not limited to:   

  • ISO 27001  
  • NIST SP 800-53  
  • HIPAA/HITECH   
  • PCI DDS  

With its ability to combine several assessments and standards into one framework, the HITRUST CSF allows organizations to decide what regulatory factors they want to include in their assessment based on the level of risk and the regulatory requirements. This “assess once, report many” approach means that assessors are performing several different audits, but the organization feels like they’re only undergoing one – saving them time, money, and resources. Because of this benefit and its comprehensive focus on security and privacy, the HITRUST CSF has been widely praised and adopted by organizations around the world.  

If your organization works with outside vendors or partners, it’s important to ensure they take data security and privacy as seriously.  After earning your own HITRUST CSF certification, the next step is to assess your vendors.  

Why Assess Vendor Security?  

The HITRUST CSF Assessment methodology requires testing of all relevant controls for in-scope data, systems, and applications- even when they are owned and performed by a third-party. The controls can be directly tested as part of your assessment, explained in a formal security assessment, such as a SOC 2, or they can be ‘inherited’ from the vendor.   

What this means for a company seeking HITRUST certification is that all related controls must be satisfied for every location (including cloud service providers and software-as-a-service products) and every application in the solution.  Examples of related controls include the following:  

  • Physical security for the datacenter where information is stored  
  • Network security for the application that is used  
  • Encryption of sensitive data  
  • Monitoring for unauthorized access and devices  
  • And more 

Cybersecurity compliance is advancing and it’s no longer good enough for you to have great security if your vendors do not.  Now that you’re ready to select your HITRUST-certified vendors, it’s important that you learn where they are in their HITRUST certification process.  Your vendors can provide you with a self-assessment, validated assessment or certified assessment.    

At the very least, it’s suggested they provide a validated assessment as it’s a more rigorous process due to independent testing of the controls performed by an authorized CSF external assessor firm.  Upon completion, HITRUST reviews the complete assessment and issues a Validated Report as the outcome if the organization has failed to receive a rating of 3 or higher on any of the controls.   When undergoing the validated assessment, any gaps in evidence or control performance affect their certification attempt and may disqualify them from your vendor selection process.  If you are unsure about whether your vendors and suppliers meet the necessary requirements, it’s important to have the tough conversations to learn what assessments have been performed, whether they will provide full reports for review, and whether they participate in the HITRUST inheritance program.  

How Can A-LIGN Help?  

A-LIGN’s Advisory Team will review your company’s policy and procedure documents and evaluate them against the HITRUST CSF.  We will share any gaps identified and will remediate those gaps by updating and documenting the policies and procedures accordingly to meet the HITRUST CSF specifications. If your company needs policies and procedures created, we can design and document those appropriately after performing interviews to understand the control environment. We can also assist in documenting non-technical controls such as Risk Assessment, Incident Response, Disaster Recovery, and more. 

Once all gaps are remediated, the A-LIGN Assurance team will perform an independent review and submit the assessment to HITRUST for certification. 

Our team of HITRUST experts are here to answer any question you might have through every step of the process by responding to all inquiries within 24 hours. With A-LIGN, you’re on the right path to HITRUST certification success.  

Interested in learning more about HITRUST CSF?  Complete a form and one of our cybersecurity and compliance professionals will reach out soon. 

Download our HITRUST checklist now!

ISO/IEC 27002 has not been updated since 2013, but that all changed when the International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC) published an update to the standard in February 2022 – ISO/IEC 27002:2022. So, what does this mean for organizations that look to the guidance standard for direction on how to configure their information security management system (ISMS) to achieve compliance? 

On Episode 2 of Compliance Crosswalk, hosts Arti Lalwani and Blaise Wabo sit down with guest Steve Holladay of Arrowhead Training to discuss the updated ISO 27002 and share insights on how the recent changes will impact listeners’ organizations.   

Making ISO 27002 Easier to Understand 

Steve Holladay has been in the standards industry for 40 years and is a consulting professional with Arrowhead Training – a company on a mission to demystify management system accreditation requirements through standards training. His decades of experience made him the perfect guest to discuss insights on the newly revised ISO 27002.  

To kick things off, the group explored the change in nomenclature from domain to themes. Through mergers and elimination of redundancies, the new ISO 27002 reduces the 114 controls formerly categorized by domains down to 93 controls, and groups them into four themes – Organizational controls, Technological controls, Physical controls, and People controls.  

Worth noting: None of the previous controls were actually eliminated, merely merged. In addition 11 new controls were added. Fortunately, the standard contains two annexes which users can use to trace the updated controls back with their corresponding former controls, and vice versa. 

In his view, Steve believes replacing domains with themes will assist the business leaders in better understanding their ISMS and how the controls help secure information. The challenge that many of those working in non-tech companies encountered with the 27002:2013 standard was understanding the definition of the domains. After all, they were written for IT professionals rather than management.  

By shifting to the concept of themes, stakeholders should better comprehend what the standard is trying to accomplish as it relates to their business or management system. Steve anticipates high acceptance of the standard as a result of this revision.  

And as a bit of advice, he recommends organizations don’t attempt to jam their current ISMS into the four new theme areas. Rather, they should redesign their ISMS from the ground up around the themes. While it will take some work, it will result in a more effective system.  

Designed for Present and Future Threats 

Threats to information security are always evolving, and so one of the 11 new controls added to ISO 27002 centers on “threat intelligence.” It’s a significant change that is especially relevant in the post-pandemic era where online activity and the danger of cybercrime remain elevated.  

According to Steve, there was previously a “one and done” mentality to risk assessment. “Once the risk assessment was done, organization’s really didn’t look at it again.” The new guidance frames threats as a danger that needs to be continuously evaluated with appropriate actions put into place to safeguard against them.  

Blaise praises the updated standard for its flexibility, particularly in this environment of increased ransomware attacks, and rapid cloud adoption which makes organizations more vulnerable to cyber crimes. ISO 27002 gives companies latitude to implement their own controls while meeting the objectives of the themes. “I think this is a win for the industry.” 

Arti stresses that an ISMS is a management system and was never meant to be a checkbox system that is reviewed  once a year. Positioning the risk assessment within an ISMS as a  living document will make things easier for everyone when it comes time for the annual audit.  

Time to Get Started 

Considering that ISO 27002 is a guidance standard, will the actual ISO 27001 standard be similarly updated? Most operators in the space might assume so, but Steve shared some inside knowledge: ISO 27001 will be amended sometime between now and October.  

This is good news for organizations currently in a holding pattern in anticipation of the change. Since the upcoming revision will be an amendment rather than an update, organizations can immediately start applying the 27002:2022 guidance standard to their ISMS to achieve compliance.  

“We want to encourage clients not to wait,” says Steve. “Go ahead and start exploring the standard. You’re way ahead of the game by looking at those controls and understanding how ISO 27002:2022 will fit within your organization.” 

Arti wholeheartedly agrees on getting a jump on things and recommends those currently undergoing their ISO 27001 audit to update their ISMS using the available ISO/IEC 27002:2022guidance. This way, an updated  SOA will reflect compliance with the new control set. 

A parting message: Reach out to your certification body (CB). The CB will let you know any available updates to your current ISO 27001 certificate. Purse an ISO 27001 certificate to ensure your ISMS is conforming with the  standard and confirm your controls are robust and effective to counter all threats – those present and those yet to come.  

Click here to watch the full video of this episode.

Click here to stream all episodes of the Compliance Crosswalk podcast.

Download our ISO 27001 checklist PDF!