In this issue we shed light on how to deduplicate efforts to save time on multiple audits, discuss how the Safe Harbor Act affects your organization, reveal the 5 best practices for compliance management, and much more.

Featured Content

The Safe Harbor Act
The HIPAA Safe Harbor Act was designed to limit the fines associated with a data breach for healthcare organizations that implement “recognized security practices.” Do you have your cybersecurity practices in place? Blaise Wabo, A-LIGN’s Healthcare and Financial Services Knowledge Leader, discusses how to identify what you need to mitigate risk.
Read more.

5 Best Practices for Compliance Management
Looking for time-tested compliance management advice to level up your organization’s program? Patrick Sullivan, A-LIGN’s Director of Customer Success, recommends five best practices to follow for compliance success.
Read more.

A-SCEND Developer Blog Series 
Jason Kosecki, A-LIGN’s Principal Product Operations Manager for A-SCEND, continues his blog series to announce A-SCEND’s new releases and upcoming features!  Get a sneak peek into how the addition of “link evidence” will help to streamline your audit process, saving you time and resources.
Read more.

Compliance News

3 Compliance Factors Your European Organization Should Consider
From GDPR updates to the increasing popularity of U.S. compliance standards, European businesses have a lot to consider in 2022. Huw Pegler, A-LIGN’s VP of EMEA Sales, reveals three key factors to consider right now.
Read the full article.

Can You “Fail” a SOC 2 Examination?
Although you can’t “fail” your SOC 2 report, it can result in report opinions to be noted as “modified” or “qualified.” Alex Welsh, Associate Manager at A-LIGN, reveals what this means for your organization.
Read the full article.

In Case You Missed it

Federal Compliance 2022: CMMC 2.0, StateRAMP, FedRAMP & Beyond 
A-LIGN’s Federal Practice lead, Tony Bai, welcomed special guest Emily Cummins, Director of Cloud Security at Anitian, to discuss the latest news in federal compliance including the new Authorization Boundary Guidance, updates on CMMC 2.0, StateRAMP and more.
Click here to view.

Federal Compliance Webinar: StateRAMP
A-LIGN’s Federal Practice lead, Tony Bai, welcomed special guest Leah McGrath, Executive Director of StateRAMP, to discuss the latest in the StateRAMP rollout, how StateRAMP compares to FedRAMP, and more.
Click here to view.

Cybersecurity Predictions & Trends for 2022: Your Year of Readiness
As 2021 comes to a close, A-LIGN’s partner GreyCastle Security shared how to prepare for 2022’s top cyber challenges, and recommendations to develop a strategic and efficient cyber-strategy to best prepare for the year ahead.
Click here to view.

A-SCEND Tip of the Month

A-SCEND’s “How to” Video Series: Deduplication of Efforts to Save Time Across Multiple Audits  
Michael Darmanin, A-SCEND’s Senior Technical Support Analyst, launched a new video series in which he walks you through our compliance management platform, best practices, and tips and tricks to help streamline your audit process.  In his latest video, Michael shares tips and tricks on how to use deduplication to save you time across multiple audits!
Learn more.

Season’s Greetings

From everyone at A-LIGN, we would like to wish you a wonderful holiday season, and a happy and healthy New Year. Cheers to 2022!

The National Institute of Standards and Technology Special Publication 800-53 (NIST 800-53) is a set of guidelines recommending how U.S. government agencies and private sector organizations supporting federal contracts should manage and protect information systems and the data within those systems.

The security controls within NIST SP 800-53 are organized into different categories ranging from Access Control to Contingency Planning, Media Protection, Risk Assessment, and more. In total, these categories house more than 1,000 individual control elements.

NIST 800-53 has been through multiple rounds of revisions since it was first introduced to accommodate changes in technological innovations and data management best practices. The final version of the most recent revision — NIST 800-53 Revision 5 — was initially introduced in 2020 and was open to public comment through October 1, 2021.

Now, Revision 4 has been superseded by Revision 5. Let’s review a few key differences between the two.

A Greater Emphasis on Privacy

At a high level, Revision 5 incorporates a greater emphasis on privacy — part of a larger effort to integrate privacy into all Federal Information Security Management Act (FISMA) regulations. As such, privacy controls that were previously detailed in an appendix to the main catalog of NIST 800-53 Revision 4 have evolved and moved into a new privacy control family called Personally Identifiable Information Processing and Transparency.

We’re not surprised by this change. There’s been an increasing emphasis on privacy over the last few years, with the introduction of regulations like the EU’s GDPR and China’s PIPL. NIST even came out with its own privacy framework early in 2020.

Additional Control Categories

Personally Identifiable Information Processing and Transparency isn’t the only new control category in Revision 5. Supply Chain Risk Management and Program Management categories are also present in this newest revision. The Supply Chain Risk Management control family expands on concepts that were previously outlined in the Supply Chain Protection control within Revision 4, and the Program Management family expands on the Information Security Program Management controls that were addressed in Appendix G of Revision 4.

We expect supply chain risk to remain top of mind and are tracking a published timeline from NIST that states the organization “will issue guidance that identifies practices that enhance software supply chain security, with references to standards, procedures, and criteria” in February 2022. From there, additional guidelines are expected to be published in May 2022.

A Focus on Outcomes

In addition to new and updated controls, Revision 5 also incorporates a greater emphasis on outcomes. Control statements within the updated version of NIST 800-53 have been rewritten to focus on the goal of the action instead of identifying a specific entity responsible for implementing the control. This is meant to acknowledge the fact that broad cooperation and collaboration is often required to achieve results. It is also meant to clarify the controls for non-government organizations, like private entities fulfilling government contracts, that often don’t have the same delineation of roles that we see within government organizations. With this change, NIST 800-53 is clearer and more adaptable for non-government entities seeking compliance.

Introduction of Separate Control Baselines

Revision 5 also separates the control baselines from the control catalog with a supplementary publication called NIST SP 800-53B. This supplementary publication outlines the three security control baselines — low-impact, moderate-impact, and high-impact — and provides guidance for tailoring control baselines to specific communities based on an organization’s technologies and environments of operation. NIST has stated that this change was made to further support the use of NIST 800-53 Revision 5 by different communities of interest and so the controls can be used “to support other cybersecurity lexicons and risk management approaches.”

Making Sense of All These Changes

In addition to the significant changes mentioned above, Revision 5 also incorporates a variety of new controls to strengthen security and privacy governance and accountability, support secure system design, and support cyber resilience and system survivability. The amount of changes may seem daunting, but partnering with an assessor firm that is familiar with NIST, like A-LIGN, will help you ensure that your organization doesn’t miss a beat in complying with these revised guidelines.

Whether this is your first attempt to comply with NIST 800-53, or you previously complied with Revision 4 of the guidance, A-LIGN can help you implement and update procedures to meet Revision 5 standards. And since Revision 5 officially replaced Revision 4 at the end of September 2021 — there’s no more time to waste.

Even though compliance is an on-going process, each individual assessment has its own lifecycle, which begins with a self-assessment of scoping factors. This can be a tedious process to complete for every audit, especially if the same questions get asked more than once, or continue to show up in assessment requirements. Fortunately, HITRUST has introduced a strategic approach to its scoping factors, which it announced in its Assurance Advisory: 2020-003.

HITRUST made multiple changes to its scoping factors, streamlining the audit process by mapping scoping factor questions to assessment requirements – eliminating unrelated requirements. The scoping factor now includes additional context to questions to avoid the typical back-and-forth that could occur during QA of the assessment.

This Assurance Advisory is set to minimize unrelated requirements when a scoping factor is marked “no” and to curtail the constant flow of “this is not applicable because…” responses currently captured in HITRUST CSF assessment reports. According to HITRUST, “Assessed entities will instead be asked to explain the absence of inherent risk factors once rather than multiple times throughout the assessment, thus reducing the level of effort required to complete and review the assessment.”

HITRUST is adding more than ten additional scoping factor questions to identify risk factors for assessment, and adding additional requirements to existing scoping factors. The HITRUST portal, MyCSF, will require additional explanation for each question answered “No,” so that an External Assessor, such as A-LIGN, and the HITRUST QA can better evaluate each response. Additionally, HITRUST is adding more information to its help page and clarifying its definition of a third-party.

The process of streamlining assessment requirements is a key component of strategic compliance, which seeks to centralize, standardize and consolidates audits. Our compliance management platform, A-SCEND, could already deduplicate redundant assessment requests to help our clients achieve strategic compliance. If you also appreciate the value of eliminating superfluous workflows, then we suspect that you will also be happy to see this update from HITRUST.

Download our HITRUST checklist now!

Our 2021 Compliance Benchmark Report provided significant insights on how organizations are navigating the current compliance landscape, as well as how they are preparing for the future. By surveying more than 200 cybersecurity, IT, quality assurance, internal audit, finance, and other professionals, we discovered a great deal about what makes compliance programs run smoothly and efficiently, and where there may be areas for improvement for businesses of all sizes and across all industries.  

Here are five compliance management best practices gleaned from the 2021 Compliance Benchmark Report that you can use to improve your organization’s compliance program.  

Best practice #1: Combine audits for greater efficiency  

One of the standout findings from our Compliance Benchmark Report was the revelation that many organizations are not taking advantage of opportunities to streamline their audit efforts while achieving the same results. 85% of respondents to our survey said they conduct more than one audit every year, but just 14% consolidate their audits into a single annual event.  

We highly recommend taking a strategic, year-round approach to preparation in which your organization consolidates audits and assessments wherever possible. A Master Audit Plan (MAP) is an invaluable tool that can be used to: 

• Gain greater visibility into the efforts required from various teams  
• Determine what is needed for each audit 
• Identify evidence that can be repurposed across audits  

50% of our survey respondents said they spend one to two months preparing for each audit or assessment and 17% noted they spend six months or more preparing for each audit or assessment. Clearly, using a MAP for more efficient compliance management has the potential to save your organization substantial time and resources.  

Best practice #2: Leverage SOC 2 to build customer trust  

When we asked our survey audience about the audit, attestation, or assessment they believe is most important to their organization, the top answer by a wide margin was SOC 2. Nearly half (47%) of respondents said that SOC 2 is mission critical to the success of their business.  

Having a SOC 2 report indicates a high level of maturity in an organization’s IT security, which is why this voluntary standard is often used to build trust with prospects and customers by demonstrating that an organization has sufficient data protection mechanisms in place. One-third of the professionals who took our survey said that SOC 2 is typically the number one report or certification that customers want to see when performing data security due diligence.  

In fact, SOC 2 has become so trustworthy in information security circles that, although it is a U.S.-based standard, some European organizations are now being asked to obtain SOC 2 reports — especially in highly regulated industries.  

Best practice #3: Use technology to automate tedious tasks  

One of the biggest obstacles organizations face during the audit process is repetitive and manual evidence collection since these tasks eat up significant time and resources. In fact, 27% of our survey respondents said that evidence collection is the greatest challenge of their audit process.  

To streamline these tasks and free up staff hours to focus on more strategic initiatives, consider utilizing audit automation and compliance management software to centralize evidence collection. This technology gives your organization the ability to effortlessly link one or more pieces of evidence to multiple audit requests. However, despite the opportunities associated with audit automation and compliance management software, not many organizations are taking advantage of automation software; just 25% of respondents to our survey said they use a software solution to prepare for audits.  

Worth noting is that automation software should always be used in tandem with an experienced compliance partner to ensure no corners are cut and that your compliance program is maturing as a whole. For example, when planning for SOC 2, be wary of software companies that claim their fully-automated SOC 2 software can take you through the entire audit process in just a few weeks. While automation tools can be useful for retrieving data that is required during the audit, it’s best to leverage the expertise of professional auditors who will ensure your SOC 2 process is thoughtfully planned and carefully executed for maximum efficiency.  

Best practice #4: Prepare for the future of privacy compliance   

Our Compliance Benchmark Report found that a whopping 71% of organizations believe that a rising focus on privacy across the globe has impacted their compliance practices and audits. 48% say that increased requirements related to privacy have resulted in additional compliance needs for their business.  

As a result, organizations are recognizing the need to make data privacy a significant priority in 2022 and beyond. However, 44% of our survey respondents say limited staff resources pose a major challenge to their audit process, and 18% agree that their compliance team doesn’t have the skills and training needed to deal with privacy.  

We recommend that you continue to monitor the latest news about the evolution of global and U.S. privacy regulations that could affect your organization. If you have questions about whether an upcoming law will apply to your business, reach out to your compliance partner to determine if it’s time to start laying the groundwork for these requirements within your compliance program.  

Best practice #5: Review the end goals of your compliance program  

When we asked our survey audience, “What is the driving force behind your organization’s compliance program?” responses were fairly evenly distributed across a few key areas:  

• Adhere to regulatory requirements (19%) 
• Meet board-level mandates (16%)  
• Establish trust with prospects and customers (15%)  

That being said, we also found that 64% of respondents have used an audit or assessment to win new business — even if that’s not the primary driver of their compliance program. In much the same way that a MAP can be used to get all departments on the same page and devise a strategy to check multiple compliance boxes at once, we advise your organization’s leadership to collectively ask, “how can we get the most out of our compliance management efforts?”  

Many organizations approach audits and assessments in a reactive manner — 23% of respondents say their audits are driven by customer requests rather than internal management. For example, during the sales process, a prospect might request compliance with a specific framework, such as SOC 2 or HITRUST, generating an all-hands-on-deck effort to complete the necessary audit or assessment. 

Instead, consider investing more time up front researching the accredited assessments and certifications that carry the most weight in the eyes of your target audience. Then you can balance these needs with more stringent regulatory requirements in your overarching compliance management strategy.  

Next steps for proactive compliance management 

Compliance shouldn’t feel like a burden. When approached thoughtfully and deliberately, your compliance program can support business growth and serve as proof that your organization is fully committed to cybersecurity. It starts with effective compliance management, combined with proactive consideration about what your compliance program should look like several years down the line.  

We know you may not be a compliance expert, and that’s okay — because we are! A-LIGN can review your organization’s current compliance efforts, help identify gaps, and work with you to determine how compliance can contribute to desired outcomes in other areas of your business.  

In 2021, we saw an increase in international expansion and need for compliance certifications, and big changes in the privacy landscape.  As we near the end of the year, European organisations should be thinking ahead to the compliance challenges and opportunities that are coming in 2022. It’s always best to be proactive in strategising for future regulations, standards, and policies — even if you feel your business is currently running with all systems fully operational.

Here are a few of the changes, trends, and predictions in the world of European business that I believe will make a big difference throughout 2022.

GDPR and the New Standard Contractual Clauses (SCCs)  

Last year’s court ruling that the EU–U.S. Privacy Shield framework is no longer a valid data transfer mechanism under the General Data Protection Regulation (GDPR) brought about new standard contractual clauses (SCCs), which were approved in June 2021. These were introduced to replace the old SCCs (last updated in 2010) and reflect GDPR data protection requirements. Any new contracts signed after 27 September 2021, are required to use these new SCCs. For contracts signed before that date, organisations have until 27 December 2022, to update the terms to make sure all data transfers are subject to the proper safeguards.

If your business exports European personal data to the U.S., the European Data Protection Board (EDPB) recommends taking the following actions:

1. Create data mapping documents that outline exactly where all data is being transferred to outside countries.
2. Identify your data transfer tool, likely the new SCC (there are a few other options, including binding corporate rules [BCRs]).
3. Determine the effectiveness of laws/practices that apply to the data being transferred in the outside country.
4. If there is an absence of GDPR-equivalent protection, determine appropriate technical and contractual measures to enhance the level of data protection.
5. Carry out any formal procedural steps necessary for those measures to be effective in data transfers.
6. Continuously monitor the level of protection given to the data transferred to the outside country and suspend transfer if protection becomes insufficient.

Governments on both sides of the Atlantic acknowledge that making you, the data exporter, carry out assessments of security frameworks in non-European countries can be a complex exercise. That’s why the EU and U.S. are currently working on a replacement agreement for Privacy Shield, which could be finalised by early 2022.

SOC 2 Continues to Gain Popularity 

It’s undeniable that SOC 2 assessments are rapidly growing in popularity across Europe. One reason for this is that SOC 2 reports have become established as the information security gold standard for selling any type of “X-as-a-service” to businesses based in the U.S. While ISO 27001 is the security standard in much of Europe, U.S. businesses are typically less willing to accept this certification and require a SOC 2 report instead.

In addition to aiding expansion into the U.S., certain sectors in Europe (mainly in the UK) have begun to outright require SOC 2 reports as a prerequisite for doing business. These sectors include banking, insurance, and central government. The fact that UK agencies have begun necessitating SOC 2 for vendors or primes looking to engage in government contracts should be seen as a significant development and potential indicator of future growth of SOC 2 in Europe.

If your business is looking to expand internationally or get ahead of the regulatory curve by obtaining a SOC 2 report, you should start by contacting an accredited, U.S.-based Certified Public Accountant (CPA) firm governed by the American Institute of Certified Public Accountants (AICPA). COVID-era remote SOC services have been helpful for reducing certain expenses, such as travel, that go along with onsite work. However, I believe it’s possible that the AICPA could bring back onsite fieldwork requirements in 2022. Talk to a firm capable of high-quality remote and onsite audits, which provides versatility to keep you covered no matter what.

The Data and Data Governance Acts

As Europe strives to improve its assorted data-sharing mechanisms, there are two initiatives introduced by the European Commission that have been making their way through government: the Data Act and the Data Governance Act.

The Data Act is focused on rights related to the access to and use of data. This includes delineating rights for non-personal internet of things (IoT) data, which is largely regulated through private contracts at the moment. For example, who owns data generated by an industrial machine in a warehouse?

The proposal also aims to refine data portability rights such as those outlined under GDPR Article 20, which was designed to allow consumers to easily switch their data over to a new service provider. The Data Act would provide more detailed technical specifications to make this process more viable, which could theoretically create a more competitive business market for said data.

The Data Governance Act, on the other hand, aims to increase the availability and sharing of public sector data that could be used to power cutting-edge technologies such as artificial intelligence (AI). It also proposes a new model for data intermediation in which consumers would be able to exercise their GDPR rights by sharing data with trusted companies via digital platforms or applications.

While the Data Act and Data Governance Act are still going through the legislative process, it’s worth keeping an eye on these two initiatives that could have major impact on the future of commerce in Europe. Ultimately, they could lead to the creation of a “genuine single market for data” which would have far-reaching implications for business and compliance alike.

Strengthening Your Business’s Compliance Program  

Ensuring the privacy of consumer data and the protection of information will continue to be of utmost importance for your organisation in the coming years. If you’re looking to fine tune your business’s compliance program in order to abide by the latest regulations, while also winning new business, A-LIGN can help. Our expertise spans privacy impact assessments, GDPR-related services, and SOC 2 examinations. We have everything needed to take your compliance program to new heights in 2022.

The HIPAA Safe Harbor Act was designed to limit the fines associated with a data breach for healthcare organizations that implement “recognized security practices.” Do you have your cybersecurity practices in place? Learn more about how to identify what you need to mitigate risk.

Organizations that take proactive steps to implement cybersecurity initiatives to protect their customers and employees are becoming more commonplace. Yet, there are still many examples of organizations falling victim to bad actors’ efforts to steal sensitive information for financial gain.

This scenario has become a more common tale within the healthcare industry, especially as malicious players continue to take advantage of the COVID-19 pandemic. In fact, according to the Cybersecurity & Infrastructure Security Agency (CISA), personal health information (PHI) is estimated to be worth 10-20 times the value of credit card data on the dark web.

Data breaches targeting PHI are clearly not going away, creating a new level of urgency for enhanced cybersecurity within the healthcare industry. As the regulatory oversight in the healthcare industry increased, ensuring Healthcare Insurance Portability and Accountability Act (HIPAA) compliance becomes more valuable to you and your customers than ever.

HITECH and HIPAA Compliance

In an effort to increase cybersecurity initiatives within healthcare organizations, the Health Information Technology for Economic and Clinical Health (HITECH) Act was passed in 2009. HITECH was designed to encourage healthcare providers to adopt electronic health records (EHRs) and increase privacy and security around PHI.

This was an incredibly important introduction to the healthcare industry because it encouraged the adoption of a system that ensured a heightened level of accountability for HIPAA compliance. HIPAA is law in the United States that includes a set of safeguards that covered entities and business associates must follow to protect health information. Before HITECH was passed, organizations could avoid sanctions as a result of a breach of PHI by a business associate, claiming they did not know the business associate was not HIPAA compliant. This was extremely easy to do considering the majority of health records were only kept on paper.

HITECH, however, applies HIPAA Security and Privacy Rules to business associates so everyone is responsible for maintaining HIPAA compliance. As a result, it inspired tougher penalties for HIPAA violations for not only the covered entities but for their business associates, as well. The maximum penalty for a HIPAA violation increased to $1.5 million per violation category per year.

But as we previously mentioned, even the best-laid plans can go awry. So, what happens to the healthcare organizations that do take every precaution possible to protect PHI and still suffer a HIPAA violation?  Let’s find out.

HIPAA Safe Harbor Act

In January 2021, the HIPAA Safe Harbor Act, officially known as H.R. 7898 Bill, was passed by former President Trump as a HITECH amendment. The bill specifically reduces financial penalties and the length of compliance inspections for covered entities and business associates that can prove recognized security practices have been in place for at least one year.

These “recognized security practices” are specifically defined in the bill as, “voluntary, consensus-based, industry led-standards, guidelines, best practices, methodologies, procedures, and processes developed by the National Institute of Standards and Technology (NIST), approaches promulgated under section 405(d) of the Cybersecurity Act of 2015, and other programs and processes that address cybersecurity and that are developed, recognized, or promulgated through regulations under other statutory authorities.”

But, what does this mean? Implementing cybersecurity practices, like those set forth by NIST,  illustrates an organization’s efforts to adequately protect PHI and other sensitive data from cybersecurity risk. This, coupled with an organization’s efforts to follow the basic HIPAA Privacy Rule provisions and safeguards, makes the organization eligible for consideration of a lower fine or penalty from the US Department of Health and Human Services (HHS) Office for Civil Rights (OCR) in the event of a cybersecurity incident.

A-LIGN Can Help

Though most healthcare organizations are familiar with NIST and the HIPAA Security Rule, the reality is that most organizations just don’t know how to properly — or effectively — follow and implement NIST guidelines. According to the Journal of AHIMA, HIPAA audit results from 2016 and 2017 revealed nearly 80% of audited covered entities and business associates demonstrated less than adequate risk management and risk analyses. And to date, the OCR still finds a “lack of thorough risk analysis” in a high percentage of its investigations.

Don’t be caught unprepared — A-LIGN is here to help you navigate HIPAA and HITECH compliance. A-LIGN’s assessors will review your organization’s safeguards to identify areas where you can enhance your information security program to ensure compliance and give you actionable guidance to help you get to where you need to be.

A-LIGN’s experience and commitment to quality has helped more than 300 clients successfully achieve HITRUST certification.

Download our HIPAA checklist now!

It’s a common practice to shorten long and complicated organizational names to more digestible acronyms. However, navigating these acronyms and the programs behind them can sometimes feel like sifting through alphabet soup. That’s why I’m here to help decode one of the most well-known federal programs: the Federal Risk and Authorization Management Program—otherwise known as FedRAMP.  

What is FedRAMP? 

Created in 2011, FedRAMP was designed to provide a cost-efficient and risk-based approach to cloud adoption for federal departments and agencies. The creation of the FedRAMP security assessment framework was based on the Risk Management Framework (RMF) that implements the FISMA (Federal Information Security Modernization Act) requirements, and NIST SP 800-53. FedRAMP allows for cloud service providers (CSPs) to be assessed and authorized by federal agencies.  

FedRAMP provides a standardized approach to security assessment, authorization, and continuous monitoring specifically for cloud products and services relied upon by federal entities that store, process and transmit federal information. This strengthened the federal government’s ‘cloud first’ initiative by enabling federal agencies to contract with approved cloud providers who were best equipped to protect vital government information.  

What are the goals of FedRAMP? 

According to the U.S. General Services Administration (GSA), the goal of FedRAMP is to ultimately accelerate the adoption of secure cloud solutions through the reuse of assessments and authorizations. Achieving FedRAMP authorization will also increase confidence in the security of cloud solutions and security assessments for your organization. Additional goals include:  

• Achieving consistent security authorizations using a baseline set of agreed-upon standards to be used for cloud product approval
• Ensuring consistent application of existing security practices 
• Increasing automation and access to real-time data for continuous monitoring 

How do you know if your organization requires a FedRAMP assessment? 

Simple—any organization that is currently serving, or seeking to serve, cloud products or solutions to a federal agency must undergo a full FedRAMP assessment.  

A recommended first step is to achieve a ‘readiness designation’ from FedRAMP, referred to as FedRAMP Ready.  Optional for agency authorizations and mandatory for Joint Authorization Board (JAB) authorizations, this designation indicates that a Third-Party Assessment Organization (3PAO) attests to a Cloud Service Provider’s readiness for the full FedRAMP authorization process and that a Readiness Assessment Report (RAR) has been reviewed and approved by the FedRAMP PMO. The RAR indicates the CSP’s ability to meet FedRAMP security requirements. 

What are the benefits of achieving FedRAMP Authorization? 

Being FedRAMP Authorized offers a CSP numerous benefits, such as improved real-time security visibility and providing a uniform approach to risk-based management. Your organization will save significant cost, time and resources by de-duplicating efforts related to meeting federal cybersecurity requirements.  Additional benefits include:  

• Increased re-use of existing security assessments across agencies 
• Enhanced transparency between government and CSPs 
• Improved trustworthiness, reliability, consistency and quality of the Federal security authorization process 

The A-LIGN Difference 

As one of the more experienced 3PAOs for FedRAMP, A-LIGN can help CSPs achieve a FedRAMP Ready and/or a FedRAMP Authorized status. If you have any questions or if you would like to learn more about undergoing a FedRAMP assessment, please reach out to one of A-LIGN’s experienced assessors. 

Although you can’t “fail” your SOC 2 report, it can result in report opinions to be noted as “modified” or “qualified”. Learn what this means for your organization.

Is your organization planning for a SOC 2 report? You’re not alone. SOC 2 is gaining in popularity across industries and across the globe. More and more customers are asking for demonstrated SOC 2 compliance, and independent cybersecurity control validation and attestation is becoming necessary to compete for high-priority contracts. Beyond customer demand, SOC 2 ensures that controls are properly implemented and used within your organization, greatly reducing potential security threats.

During the SOC 2 examination process, it’s the auditor’s job to provide an opinion on your organization. It’s during this process that the auditor decides if they agree that the controls pass regulations set forth, or if the controls need “modifications” or “qualifications” to paint a more realistic picture of your organization’s security posture. While you theoretically cannot “fail” a SOC 2 examination, there are SOC 2 reports that have control design or operating deficiencies, resulting in the audit report opinion to be “modified” or “qualified”. There are several reasons why this may occur, including:

• Management’s description of the system is not fairly presented in all material respects
• The controls are not suitably designed to provide reasonable assurance that the control objectives stated in the description of your organization’s system would be achieved if the controls operated as described
• In the case of a SOC 2 Type 2 report, the controls did not operate effectively throughout the specified period to achieve the related control objectives stated in the description of your system
• The service auditor is unable to obtain sufficient, appropriate evidence

Let’s take a closer look at opinion “modification” and “qualification” to learn how auditors may arrive at this conclusion and the strong evidence they would need to provide to support their claim.

What is Opinion Modification?

When determining whether to issue a “modified” or “qualified” opinion on the SOC 2 report, auditors consider the individual and aggregate effect of the identified deficiencies and deviations in your description of the system. They also must consider the suitability of the design and operating effectiveness of the controls throughout the specified period. Your auditor considers factors, such as the following:

• The likelihood that the deficiencies or deviations will result in errors or misstatements in the user’s data
• The magnitude of the errors or misstatements that could occur in the user’s financial statements as a result of the deficiencies or deviations
• The tolerable rate of deviations that the auditor has established
• The pervasiveness of the deficiencies or deviations
• Whether users could be misled if the service auditor’s opinion or individual components of the opinion were not modified

What Are the Three Types of Opinion Modifications?

Audit opinions are crucial to an organization because they speak to the integrity of the executive management team, directly affecting investors and stakeholders alike. Let’s take a look at the three types of audit opinion modifications to learn how your auditor may arrive at this conclusion.

#1. Qualified

“Qualified” opinion modifications occur when there are deficiencies or deviations in your description of the service organization’s system or the design of the controls. This type of opinion modification can also apply to the operating effectiveness of the controls being limited to one or more aspects of the description of your system, or the deviation not impacting all areas of the control objectives across the system.

#2. Adverse

Your auditor considers the need to issue an “adverse” opinion when the deficiencies or deviations in the description of your system, the suitability of the design of the controls, or the operating effectiveness of the controls are pervasive throughout the description or across all or most of the control objectives.

When the auditor has determined that an “adverse” opinion is appropriate, in addition to adding an explanatory paragraph to the report, the service auditor should modify the opinion paragraph of your report. The following is an example of such a paragraph:

In our opinion, because of the matter referred to in the preceding paragraph, in all material respects and based on criteria described in [name of service organization’s] assertion on page [xx], the description does not fairly present the [type or name of the system] that was designed and implemented throughout the period. The controls related to the control objectives stated in the description were not suitably designed to provide reasonable assurance that the control objectives would be achieved if the controls operated effectively throughout the period [date] to [date]. The controls tested, which were those necessary to provide reasonable assurance that the control objectives stated in the description were achieved, did not operate effectively throughout the period from [date] to [date].

#3. Disclaimer

A “disclaimer” modification is noted if the auditor is unable to obtain sufficient, appropriate information. This could be because you refuse to provide a written assertion (after initially agreeing to do so) and law or regulation does not allow the auditor to withdraw from the engagement. The disclaimer opinion modification may also occur if you refuse to provide a representation reaffirming its written assertion, allowing the auditor to withdraw from the engagement.

Paragraph .57 of AT section 801 states that if the auditor disclaims an opinion, their report should not identify the procedures that were performed nor include statements describing the characteristics of an auditor’s engagement, because to do so might overshadow the disclaimer. When disclaiming an opinion, in addition to adding an explanatory paragraph to the auditor’s report, they should also modify the opinion paragraph of the report by adding a sentence such as the following at the end of the opinion paragraph: “Because of the matter described in the preceding paragraph, the scope of our work was not sufficient to enable us to express, and we do not express, an opinion.”

Examples of Findings Leading to Qualified Opinion

Case 1. Modified SOC Report

A modified SOC report can be issued if software developers have the ability to introduce changes into the production environment, and this change could not be detected by detective controls in a timely manner by appropriate members of your organization.

Case 2. Qualified SOC Report

In another instance, a qualified SOC report can occur if you cannot demonstrate that adequate controls are in place to support a control objective described in the system description. This is most easily determined by exceptions noted in the test of controls performed.

If exceptions are noted upon testing a control activity, additional samples are selected to determine if a control is operating effectively. If it is determined that a key control needed to support a control objective is not operating effectively, the opinion within the auditor’s report must be modified to disclose that this control activity is not operating effectively.

Popular Reasons for Opinion Modification or Qualification

There are many reasons why your auditor may feel an opinion “modification” or “qualification” is necessary. In this situation, the auditor will describe the reasons for the modification of the opinion within the “basis for opinion” section of the report, providing you with information that is useful in understanding their findings. Let’s take a look at some of the most popular reasons opinion modification or qualification occurs.

Excessive logical or physical access

In the event that your organization has excessive logical access, for example, your organization has provided too many users with privileged access. For physical access, an example of this would be too many users having access to areas that should have limited access, such as server rooms.

Lack of supporting documentation

Your organization lacks supporting documentation and is unable to demonstrate the evidence that a control is executed.

Failure to properly scope

An example of an organization that fails to scope relevant aspects of its services within the system description would be a payroll company that fails to describe its payroll input, processing, or reporting processes.

Failure to analyze risk

Your organization does not address the inherent risks associated with the service it provides.

Failure to address issues

Your organization fails to address issues or incidents that occur.

Lack of consistency control execution

Your organization lacks consistent execution of controls in different management groups.

Failure to meet all aspects of an objective

Your organization would fail to meet all aspects of an objective or criteria if you were to perform backups but lack the controls to ensure the security of the backups, or if you did not periodically test that the backups actually work.

Prepare for a Successful SOC 2 Examination

Your SOC 2 report opinions being classified as “modified” or “qualified” may result in a negative perception of your executive team and stakeholders. To avoid this outcome, it’s imperative that you properly plan for your SOC 2 examination to ensure success and an in-depth report ready to share with your current and potential customers.

When beginning the SOC 2 compliance journey it is important to engage a professional and certified auditing firm to work with you, helping to mitigate any issues in the examination process. As a licensed CPA firm and one of the top issuers of SOC 2 reports in the world, A-LIGN has the people, process, and technology you need to help your organization reach the summit of your potential as it pertains to compliance.

Your organization can’t afford to lose valuable government contracts. Protect your business by bolstering your organization’s ability to comply with NIST800-171.

Government contracts are highly lucrative, but also tough to secure and manage. That’s because the Federal Government deals with a lot of classified and controlled information on a day-to-day basis. Any contractors or subcontractors who wish to work with the Federal government must, therefore, have security procedures in place to protect that sensitive information.

National Institute of Standards and Technology (NIST) 800-171 is a mandate that states that federal contractors and subcontractors that handle, transmit, or store controlled unclassified information (CUI) must comply with certain standards to protect that data. Compliance with NIST 800-171 is required under Defense Federal Acquisition Regulation Supplement (DFARS) Clause 252.204-7012.

What is Controlled Unclassified Information (CUI)?

CUI is information created or owned by the government that is unclassified, but still very sensitive. As such, it is required that this information be safeguarded from unauthorized exposure. CUI may be in the form of electronic files, emails (or email attachments), blueprints, and more.

The CUI designation was established via an Executive Order in 2010, formalizing the way in which this information is managed and regulated. The National Archives and Records Administration (NARA) operates a CUI Registry with organizational index groupings and CUI categories, outlining all the different types of information that fall under the CUI designation.

What’s Included in NIST 800-171?

In total, NIST 800-171 lists more than 100 different security requirements within 14 control categories:

• Access Control: Requirements related to who has access to business computers and networks, and what types of information different roles are able to access.
• Awareness and Training: Relates to an organization’s ability to understand and identify security threats.
• Audit and Accountability: Requires that an organization sets up user accounts and a structure to restrict access to auditing systems and functions to only administrators and IT personnel.
• Configuration Management: Limits a user’s ability to update security settings or install unapproved software on computers which access an organization’s network.
• Identification and Authentication: These controls regulate password requirements and multifactor authentication systems.
• Incident Response: Requires an organization to design a set of procedures for handling systems issues, and train personnel to report security incidents to administrators and managers.
• Maintenance: Requirements related to removing sensitive data from equipment that needs to be sent out for repair, and ensuring removable media is scanned for malicious software.
• Media Protection: This set of controls regulates how an organization marks CUI, transfers CUI on/off removable media, and encrypts CUI on removable media.
• Personnel Security: Controls regarding disabling and deleting user accounts after employees are terminated or transferred.
• Physical Protection: Outlines the proper use of surveillance and security measures to monitor physical facilities.
• Risk Assessment: Requires organizations to perform routine risk assessments and updates procedures accordingly.
• Security Assessment: Requires organizations to perform routine reviews of security measures and create a plan to track vulnerabilities.
• System and Communications Protection: Outlines the required use of encryption tools and requirements for segmenting system networks into separate portions.
• System and Information Integrity: Controls related to an organization’s ability to monitor systems and identify threats.

What is the difference between CMMC and NIST 800-171?

NIST 800-171 is a voluntary framework that relies on self-attestation of adherence. Unfortunately, over the past few years, it’s been found that an alarming number of contractors are deficient in their management and implementation of NIST 800-171.

The Cybersecurity Maturity Model Certification (CMMC) is a program created to audit compliance with NIST 800-171. The government has tried to implement other rules requiring the NIST 800-171 self-assessment but has struggled with adoption due to limited enforcement —  the most recent attempt is via the DFARS Interim Rule.  This rule specifies that all contractors (prime contractors and subcontractors) post a current assessment into the Supplier Performance Risk System (SPRS) as a requirement to submit bids with the DoD.  The purpose of the DFARS Interim Rule is to increase the protection of unclassified information within the DoD supply chain.

With CMMC, the goal is to provide a verification mechanism to ensure cybersecurity controls and processes adequately protect CUI that resides on Defense Industrial Base (DIB) systems and networks. CMMC goes beyond what’s included within NIST 800-171, requiring additional cybersecurity practices and controls.

It is expected that by 2026 all DoD contracts will require CMMC.

What Happens if I Don’t Comply with NIST 800-171?

As of 2019, the government has the authority to audit contracted organizations for NIST 800-171 compliance at any time. Proper compliance is therefore essential in order to continue working with the Federal Government. Failure to comply with NIST 800-171 could result in:

• Failure to obtain new government contracts
• A loss of current contracts
• Removal from the DoD’s Approved Vendor list

How Can I Become NIST 800-171 Compliant?

As stated above, NIST 800-171 involves a self-assessment process. Professional auditors, like A-LIGN, can assist your organization through that process, by assessing your company’s controls against the published controls in NIST 800-171.  If your organization is looking to complete a NIST 800-171 self-assessment, our auditing experts will help you to complete the NIST 800-171 assessment that is required by the DFARS Interim Rule to satisfy the DoD requirements for protecting CUI.

Our experts understand the nuances of NIST control elements and are familiar with a range of federal compliance mechanisms including NIST 800-53 and FedRAMP. With our breadth and depth of knowledge related to the federal compliance landscape, you can feel confident in your organization’s ability to meet the security requirements outlined by the Federal Government.