Your organization can’t afford to lose valuable government contracts. Protect your business by bolstering your organization’s ability to comply with NIST800-171.

Government contracts are highly lucrative, but also tough to secure and manage. That’s because the Federal Government deals with a lot of classified and controlled information on a day-to-day basis. Any contractors or subcontractors who wish to work with the Federal government must, therefore, have security procedures in place to protect that sensitive information.

National Institute of Standards and Technology (NIST) 800-171 is a mandate that states that federal contractors and subcontractors that handle, transmit, or store controlled unclassified information (CUI) must comply with certain standards to protect that data. Compliance with NIST 800-171 is required under Defense Federal Acquisition Regulation Supplement (DFARS) Clause 252.204-7012.

What is Controlled Unclassified Information (CUI)?

CUI is information created or owned by the government that is unclassified, but still very sensitive. As such, it is required that this information be safeguarded from unauthorized exposure. CUI may be in the form of electronic files, emails (or email attachments), blueprints, and more.

The CUI designation was established via an Executive Order in 2010, formalizing the way in which this information is managed and regulated. The National Archives and Records Administration (NARA) operates a CUI Registry with organizational index groupings and CUI categories, outlining all the different types of information that fall under the CUI designation.

What’s Included in NIST 800-171?

In total, NIST 800-171 lists more than 100 different security requirements within 14 control categories:

• Access Control: Requirements related to who has access to business computers and networks, and what types of information different roles are able to access.
• Awareness and Training: Relates to an organization’s ability to understand and identify security threats.
• Audit and Accountability: Requires that an organization sets up user accounts and a structure to restrict access to auditing systems and functions to only administrators and IT personnel.
• Configuration Management: Limits a user’s ability to update security settings or install unapproved software on computers which access an organization’s network.
• Identification and Authentication: These controls regulate password requirements and multifactor authentication systems.
• Incident Response: Requires an organization to design a set of procedures for handling systems issues, and train personnel to report security incidents to administrators and managers.
• Maintenance: Requirements related to removing sensitive data from equipment that needs to be sent out for repair, and ensuring removable media is scanned for malicious software.
• Media Protection: This set of controls regulates how an organization marks CUI, transfers CUI on/off removable media, and encrypts CUI on removable media.
• Personnel Security: Controls regarding disabling and deleting user accounts after employees are terminated or transferred.
• Physical Protection: Outlines the proper use of surveillance and security measures to monitor physical facilities.
• Risk Assessment: Requires organizations to perform routine risk assessments and updates procedures accordingly.
• Security Assessment: Requires organizations to perform routine reviews of security measures and create a plan to track vulnerabilities.
• System and Communications Protection: Outlines the required use of encryption tools and requirements for segmenting system networks into separate portions.
• System and Information Integrity: Controls related to an organization’s ability to monitor systems and identify threats.

What is the difference between CMMC and NIST 800-171?

NIST 800-171 is a voluntary framework that relies on self-attestation of adherence. Unfortunately, over the past few years, it’s been found that an alarming number of contractors are deficient in their management and implementation of NIST 800-171.

The Cybersecurity Maturity Model Certification (CMMC) is a program created to audit compliance with NIST 800-171. The government has tried to implement other rules requiring the NIST 800-171 self-assessment but has struggled with adoption due to limited enforcement —  the most recent attempt is via the DFARS Interim Rule.  This rule specifies that all contractors (prime contractors and subcontractors) post a current assessment into the Supplier Performance Risk System (SPRS) as a requirement to submit bids with the DoD.  The purpose of the DFARS Interim Rule is to increase the protection of unclassified information within the DoD supply chain.

With CMMC, the goal is to provide a verification mechanism to ensure cybersecurity controls and processes adequately protect CUI that resides on Defense Industrial Base (DIB) systems and networks. CMMC goes beyond what’s included within NIST 800-171, requiring additional cybersecurity practices and controls.

It is expected that by 2026 all DoD contracts will require CMMC.

What Happens if I Don’t Comply with NIST 800-171?

As of 2019, the government has the authority to audit contracted organizations for NIST 800-171 compliance at any time. Proper compliance is therefore essential in order to continue working with the Federal Government. Failure to comply with NIST 800-171 could result in:

• Failure to obtain new government contracts
• A loss of current contracts
• Removal from the DoD’s Approved Vendor list

How Can I Become NIST 800-171 Compliant?

As stated above, NIST 800-171 involves a self-assessment process. Professional auditors, like A-LIGN, can assist your organization through that process, by assessing your company’s controls against the published controls in NIST 800-171.  If your organization is looking to complete a NIST 800-171 self-assessment, our auditing experts will help you to complete the NIST 800-171 assessment that is required by the DFARS Interim Rule to satisfy the DoD requirements for protecting CUI.

Our experts understand the nuances of NIST control elements and are familiar with a range of federal compliance mechanisms including NIST 800-53 and FedRAMP. With our breadth and depth of knowledge related to the federal compliance landscape, you can feel confident in your organization’s ability to meet the security requirements outlined by the Federal Government.

Three major changes were announced for CMMC: fewer security tiers, new level definitions and requirements, and allowance for “Plan of Action & Milestone” reports. Learn more about the DoD’s major changes to the CMMC program.

Like everyone else in the world of federal compliance, we’ve been closely tracking the Cybersecurity Maturity Model Certification (CMMC) since the U.S. Department of Defense (DoD) shared its initial draft of the model in early 2020.

The controversial certification program has simultaneously been praised for its potential to raise cybersecurity standards for DoD contractors and criticized for the cost to comply, which is seen as a burden for many small businesses that are executing federal contracts.

On November 4, 2021, the DoD announced several updates and changes with the introduction of “CMMC 2.0,” which clarifies how CMMC will be implemented.

Pairing Down the Scope

The initial CMMC draft established five tiers of cybersecurity requirements for contractors. The tier with which a contractor needs to comply is based on the types of data they work with to execute federal contracts. With CMMC 2.0 there are now only three security tiers designed to simplify the program requirements:

• CMMC Levels 2 and 4 from the original framework are eliminated along with all maturity level processes
• Level 1 Foundational: Includes the same 17 controls outlined in the original CMMC framework, but now only requires an annual self-assessment and affirmation by company leadership.
• Level 2 Advanced: Has pared down the original 130 controls in the original CMMC Level 3 baseline to the 110 controls outlined in NIST 800-171. The DoD is working on a process that will identify “prioritized acquisitions” that must undergo an independent assessment against the new Level 2 Advance requirements on a triannual basis. All other Organizations will only be required to perform an annual self-assessment and company affirmation every year. Organizations that are not required to undergo an independent assessment by a C3PAO may still have one performed and we expect that to be valid the same as those identified as “prioritized acquisitions.”
• Level 3 Expert: This level will replace what was formally known as CMMC Level 5. Details of this level are still being defined. It is expected that this level will incorporate a subset of controls from NIST SP 800-172.

Removing Some Third-Party Assessment Requirements

Under the new model, Level 1 contractors will no longer be required to get a third-party certification. Instead, they will follow a self-assessment protocol which can significantly reduce the cost of compliance for many contractors. These self-assessments will require an annual affirmation by company leadership.

CMMC 2.0 Level 2 assessment requirements have also been updated allowing for self-assessments in some cases, in lieu of the required independent assessments. Under CMMC 2.0, third-party assessments will only be required for companies “supporting the highest priority programs.”

In order to ensure compliance and avoid any penalties, many of which are significant, it’s highly recommended you hire a third-party assessor to complete your CMMC certification.  A third-party assessment will help to accelerate your revenue and market growth to differentiate your business by providing your customers with the assurance that you have the necessary controls in place.

Minimizing Barriers to Pass Assessment

The self-assessments are just one part of changes implemented to remove assessment barriers for contractors. Another key piece is the decision to allow “Plans of Action & Milestones” (POA&Ms) reports in certain cases. With these reports, contractors can pass an assessment even if they do not currently meet every security control required — provided their report properly outlines a plan of action, and deadlines, to meet those controls in the future. We expect the DoD to further refine the POA&M requirements for CMMC 2.0. Expect to see DoD requirements for findings to be resolved within 180 days and guidance on what may constitute a “showstopper” preventing a CMMC Certification.

What’s Next?

Overall, the changes implemented significantly streamline the requirements to comply with CMMC and remove a lot of barriers to compliance for smaller contractors. At this time, it appears that CMMC pilots and contract requirements will be temporarily suspended until the DoD finalizes these CMMC 2.0 changes.

For contractors who are waiting in the wings, the wait continues. We continue to advise that companies prepare for CMMC by staying up to date with changes and announcements from the DoD, researching options for assessment partners (if a third-party assessment is still relevant to your company), and seeking compliance with the existing NIST 800-171 framework in order to give your company a leg up on eventual CMMC compliance.

Did you know HITRUST v9.5 can help reduce OCR audit time and minimize penalties?  Learn more from A-LIGN’s Healthcare and Financial Services Knowledge Leader, Blaise Wabo, on why you should select v9.5 when pursuing a HITRUST certification.

Since 2007, the HITRUST CSF has been recognized as a well-rounded and certifiable security framework for organizations of all sizes and industries. With the new CSF v9.5 update, HITRUST continues to demonstrate its value for any organization by offering a reformatted report that stakeholders can leverage during an Office of Civil Rights (OCR) audit, following a cybersecurity event or data breach.

Let’s look closer at the cause for the new report, what HITRUST v9.5 includes, and how this update will benefit your organization.

The Beginning: The HIPAA Safe Harbor Bill

The HIPAA Safe Harbor Bill was signed into law on January 5, 2021, by former President Trump. This law amends the HITECH Act so that the Department of Health and Human Services (HHS) and the OCR must recognize and encourage security best practices for HIPAA compliance.  Specifically, HIPAA Safe Harbor reduces financial penalties and the length of compliance inspections for covered entities and business associates that can prove they’ve had “recognized security practices” in place for at least one year.

The HIPAA Safe Harbor bill changed the cybersecurity industry in a big way.  If your organization processes Protected Health Information (PHI), Electronic Protected Health Information (ePHI), or Personally Identifiable Information (PII), you could be the target of a cybersecurity breach and therefore, an OCR audit.  If this situation occurs, the HIPAA Safe Harbor bill covers you and acts as a layer of security for your organization if you have a cybersecurity program in place.

HITRUST CSF is one reliable way to achieve HIPAA compliance. In fact, it is the only way to become officially certified in HIPAA compliance. For this reason, the HITRUST CSF is often utilized, and sometimes required, by organizations in the healthcare industry.

What is the HITRUST CSF?

The HITRUST CSF is a scalable and extensive security framework used to efficiently manage the regulatory compliance and risk management of organizations. By unifying regulatory requirements and recognized frameworks from ISO 27001, NIST 800-171, HIPAA, PCI DSS, GDPR, and more into one comprehensive system, the HITRUST CSF streamlines the audit process by assessing once and reporting against multiple framework requirements.

Thanks to its ability to combine several assessments and requirements into one framework, the HITRUST CSF allows clients to decide what they want to test against and to evaluate the controls based on that level of risk. This “assess once, report many” approach means that assessors are performing several different audits, but the organization feels like they’re only undergoing one. Because of this benefit and its exhaustive focus on security, the HITRUST CSF has been adopted by organizations across different industries.

What’s new in HITRUST v9.5?

When the HITRUST approach is fully implemented and HITRUST CSF Certification is achieved, this ensures covered entities and business associates are able to meet the compliance requirements of the HIPAA Security and Breach Rule.

With the release of HITRUST v9.5, a reformatted report will be generated during an OCR audit that is part of the MyCSF Compliance and Reporting Pack for HIPAA.  According to HITRUST, this new report:

• Is formatted by HIPAA controls and maps the applicable HIPAA requirements to your HITRUST CSF Assessment
• Provides the ability to select only the regulation subparts that the OCR requests in the event of an audit
• Maps each requirement to your corresponding policies and evidence for submission to the OCR

What Does HITRUST v9.5 Mean for Your Organization?

The new MyCSF Compliance and Reporting Pack for HIPAA enable organizations to more quickly and seamlessly submit and present compliance evidence.  If you already hold a HITRUST v9.3 or v9.4 certification, HITRUST will be unable to create an OCR package upon an audit.  In order to better safeguard your organization, you will need to resubmit your assessment for HITRUST v9.5.

If your organization handles PHI, ePHI or PII data, there are two main reasons you may be selected to undergo an OCR audit.  The first is based purely on the number of records that you own and that may have been compromised due to a security breach.  The second reason you may be selected is based on how you responded immediately following the breach.  There are defined laws in place regarding the aftermath of a security breach and the order in which you need to notify all parties:

1. Notify affected individuals
2. Notify the Secretary of Health and Human Services (HHS)
3. Alert the media (in certain circumstances)
4. Notify covered entities if occurred at or by a business associate

The A-LIGN Difference

We encourage all covered entities and business associates pursuing a HITRUST assessment that may be subject to an OCR audit to select version HITRUST v9.5.

A-LIGN’s experience and commitment to quality has helped more than 300 clients successfully achieve HITRUST certification. Our diligent audit process helps you prepare for the HITRUST assessment, and our team of HITRUST experts is here to answer any questions you might have through every step of the assessment.

Download our HITRUST checklist now!

Is your organization planning for a SOC 2 report?  You’re not alone.  In our 2021 Compliance Benchmark Report, SOC 2 emerged as the most popular audit for cybersecurity, IT, quality assurance (QA), internal audit, finance, and other professionals across a variety of industries.

SOC 2 is gaining in popularity across industries and across the globe. More and more customers are asking for demonstrated SOC 2 compliance, and independent cybersecurity control validation and attestation is becoming necessary to compete for high-priority contracts. Beyond customer demand, SOC 2 ensures that controls are properly implemented and used within your organization, greatly reducing potential security threats.

In our 2021 Compliance Benchmark Report, we asked more than 200 cybersecurity, IT, quality assurance (QA), internal audit, finance, and other professionals about which audits are most important to their business.

The answer? Almost half of our respondents (47%) named SOC 2 as the most important audit, attestation, or assessment. SOC 2 examinations were designed to assist organizations of any size, regardless of industry and scope, by ensuring the personal assets of their potential and existing customers are protected. Interestingly, this audit edged out the popular ISO 27001 security framework — which only 39% of respondents labeled as the most important audit for their business.

The findings indicate that more is more when it comes to cybersecurity.  Since organizations can potentially be held liable for inaccurate financial reporting, security breaches, disclosure of confidential or private information, system downtime and incorrect processing of transactions, they now find providing the extensive information required in a SOC 2 report attests to their security posture in areas including:

• Access control
• Passwords
• Change management
• Incident response
• Logging and monitoring
• And other critical areas of data protection

Read on for more insights about why organizations are prioritizing SOC 2 assessments.

A Way to Build Customer Trust

The popularity of SOC 2 can be driven by customers, external stakeholders, or a business’ internal operations team. 33% of our survey respondents reported that customers most frequently ask for SOC 2 when doing their due diligence on how a company secures its data. More and more customers — especially those in large and highly regulated industries — are demanding this type of assurance from their vendors. Although SOC 2 is a voluntary standard, customers appear to put their trust in its framework and feel confident organizations that complete SOC 2 secure their systems and networks in a professional, process-oriented manner.  SOC 2 ensures organizations can protect against unauthorized access, unauthorized disclosure or damage to their systems.

Obtaining a SOC 2 report also shows customers a level of maturity in your IT security. The ability to provide a SOC 2 report ensures the customer that you prioritize the protection of their most valuable asset, data.  You can also utilize your SOC 2 to position your organization well against competitors, allowing your customers to easily see the value you provide.

Plans are in Place

Over the next 12 months, our survey respondents will remain busy with SOC 2-related tasks. A total of 43% of respondents indicated that they were currently conducting an audit or planning to conduct a SOC 2 audit in the next 12 months. In some industries, that number was significantly higher:

• Technology: 82%
• Finance: 75%
• IT Services: 75%
• Healthcare: 65%

For technology, healthcare and finance organizations, SOC 2 was the most in-progress and planned audit — edging out others like HIPAA and PCI DSS. For IT services, ISO 27001 was a slightly higher priority, at 83% to SOC 2’s 75%.

For organizations that are still in SOC 2 planning stages, there are plenty of ways to prepare for a successful audit. The first step is to make sure you choose your auditing firm carefully. Many vendors sell software to help an organization prepare and gather data for an audit but aren’t licensed to conduct the audit and issue SOC reports themselves. Choosing an auditing firm that is certified to not only help you prepare but also conduct the actual audit will make for a more seamless process.

Key Takeaways

When surveyed, 64% of respondents stated they have conducted an audit or assessment to win new business and 14% responded having lost a business deal because they were missing a compliance certification.  Although SOC 2 is optional, it is quickly becoming the cost of doing business and onboarding new clients.  More and more customers are requesting SOC 2 reports to ensure controls are properly implemented and used within your organization, reducing security threats and keeping their assets safeguarded.

The benefits of having a SOC 2 report are clear.  Investment today ensures success in the future — with an in-depth report complete and ready to share with customers, organizations can close deals without delay and demonstrate a commitment to ensuring the personal assets of their potential and existing customers are protected.

Download the 2021 A-LIGN Compliance Benchmark Report

Cybersecurity should never be an afterthought. Prepare your organization for the threat of ransomware with A-LIGN’s new Ransomware Preparedness Assessment.

With ransomware attacks on the rise, it’s crucial that your organization is prepared.  A-LIGN’s Ransomware Preparedness Assessment puts an effective strategy in place to help prevent attacks and mitigate the potential damage if an attack occurs.

Cybersecurity threats aren’t new to organizations, but over the past year, one threat rose above the others: ransomware attacks. Though most malicious actors will seek out organizations that could have the greatest payout (or, in the case of the Colonial Pipeline attack, wreak the greatest havoc), it’s more likely that attackers look for known weaknesses they can easily exploit.

The reality is that ransomware is a growing threat. In fact, the ransomware global attack volume increased by 151% for the first six months of 2021 compared to the first six months of 2020.

And here are a few other sobering statistics from Sophos’ “The State of Ransomware 2021” report:

• 54% of organizations that were hit by ransomware in the last year said the cybercriminals succeeded in encrypting their data.
• On average, only 65% of the encrypted data was restored after the ransom was paid; only 8% of the surveyed organizations got all their data back.
• The average bill for rectifying a ransomware attack (which includes: The downtime, people time, device cost, network cost, lost opportunity, and ransom paid) is $1.85 million.

When it comes to cybersecurity preparedness, it’s not about “if” but “when” an incident will occur. And the world is starting to accept this as truth.

In fact, following the Colonial Pipeline incident in May 2021, President Joe Biden signed an Executive Order that introduced efforts to improve the nation’s cybersecurity. And many cybersecurity leaders recognize the value of a third-party risk management strategy that pulls best practices from NIST and ISO standards to perform regular audits and plan for third-party incident response.

But organizations need to do more than create plans. They need to consistently test those plans to ensure the people and processes in place function as they should.

A-LIGN’s Ransomware Preparedness Assessment

To help organizations ensure they are ready when a cybersecurity incident occurs, A-LIGN released the Ransomware Preparedness Assessment. The assessment provides organizations with a holistic strategy to evaluate preparedness for a potential ransomware attack. This is done through a three-phased approach that includes three distinct phases: Discovery & Maturity Assessment, Technical Assessment, and Recovery Capability Assessment.

The Discovery & Maturity Assessment

Phase one of A-LIGN’s Ransomware Preparedness Assessment, the Discovery & Maturity Assessment, includes two focus areas. The first is to gain a better understanding of the current environment and threat landscape within a company. A-LIGN does this by conducting discovery workshops to help identify potential areas of improvement in the company’s cybersecurity posture.

The Discovery & Maturity Assessment leans heavily on the methodology outlined through the NIST Cybersecurity Framework (CSF). The CSF evaluates an organization’s capabilities across five categories: Identify, Protect, Detect, Respond, and Recover.

---

Categories and NIST CSF Descriptions:

Identify

Develop the organizational understanding to manage cybersecurity risk to systems, assets, data, and capabilities.

Protect

Develop and implement the appropriate safeguards to ensure delivery of critical infrastructure services.

Detect

Develop and implement the appropriate activities to identify the occurrence of a cybersecurity event.

Respond

Develop and implement the appropriate safeguards to ensure delivery of critical infrastructure services.

Recover

Develop and implement the appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity event.

---

The second piece of the Discovery & Maturity Assessment is the Architecture Review. The purpose is to understand the company’s enterprise-wide architecture to identify where there are — or could be — vulnerabilities. A-LIGN does this through a series of workshops with relevant stakeholders to review current IT architecture, network segmentation, and any existing strategic plans for improvement of the architecture.

---

IT Security Tier Classification and Level Descriptions:

(based on NIST Security Maturity Levels)

Following the review, A-LIGN provides the organization with a Maturity Assessment report that identifies the organization’s ability to achieve various cybersecurity risk management practices. A-LIGN does this by assigning the company a Tier Classification that ranges from Level 1 to Level 4.

Level 1: Partial Implementation

• Cybersecurity risk management policies exist, though they are often reactive instead of proactive.
• There may be unreliable participation in the risk management program or there may be undefined areas in the policies where additional guidance to refine the policy is required.

Level 2: Risk Informed

• Cybersecurity risk management policies are likely approved and documented, though likely not consistently implemented throughout the organization.
• There is an awareness of cybersecurity efforts throughout the organization, and procedures may clearly define the IT security responsibilities and expectations across various roles, but there are likely informal methods used to mitigate risk.

Level 3: Repeatable

• Procedures are clearly defined and recognized as corporate policy. These guidelines are then communicated to individuals who are required to follow them.
• IT security procedures and controls are implemented in a consistent manner everywhere that the procedure applies and are reinforced through training.
• Procedures clarify where the procedure is to be performed, how the procedure is to be performed, when the procedure is to be performed, who is to perform the procedure, and on what the procedure is to be performed.

Level 4: Adaptive

• Policies, procedures, implementations, and tests are continually reviewed and improvements are made.
• Tests are routinely conducted to evaluate the adequacy and effectiveness of all implementations.
• Tests ensure that all policies, procedures, and controls are acting as intended, and they ensure the appropriate IT security level.
• Effective corrective actions are taken to address identified weaknesses, including those identified as a result of potential or actual IT security incidents or through IT security alerts issued by FedCIRC, vendors, and other trusted sources.
• A comprehensive IT security program is an integral part of the culture.

---

The Technical Assessment

The second phase of the Ransomware Preparedness Assessment is the Technical Assessment phase which includes Penetration Testing and Social Engineering, both designed to help organizations recognize that the human element plays a very significant role in cybersecurity risk.

Penetration Testing focuses on testing a company’s external and internal defense systems to assess its ability to effectively detect and respond to a malicious actor. This is done through the execution of internal, external, and web applicational penetration tests, as applicable, that simulate a real-world attack against the defense systems.

For Social Engineering, A-LIGN conducts a series of campaigns in an attempt to compromise the credentials of both privileged and non-privileged users to gain access to information systems. This could include phishing, spear phishing, pretexting, or vishing, among a variety of other options, and is based on the desired scope of the organization.

For both types of tests, A-LIGN works closely with the company to understand how they want to be tested based on their specific areas of concern and priorities. In addition, A-LIGN ensures they outline the rules of engagement before the test starts.

Following the completion of the Technical Assessment, the company will receive a Penetration Test report as well as a Social Engineering report that includes a summary of the tasks completed, the results, and the recommended actions that will enable the company to be in a more secure position.

The Recovery Capability Assessment

The final phase of the Ransomware Preparedness Assessment is the Recovery Capability Assessment phase which includes a review of the Business Continuity and Disaster Recovery (BCDR) Plans for an organization and a table-top exercise. During the BCDR plan review, A-LIGN will compare the company’s existing plan against industry best practices to identify potential gaps and areas of improvement.

The final component of the Recovery Capability Assessment phase is a unique table-top exercise that effectively tests team capabilities and the team’s ability to respond to a specific event. The goal of this exercise is to simulate a real-world scenario to assess the company’s capabilities to respond to any event that impacts the business.

This full-day workshop can include a variety of stakeholders from the organization, including the C-Suite (and specifically the CISO), business continuity manager, human resources, legal/compliance, and even steering committees.

Throughout the entire workshop, A-LIGN documents what needs to be fixed or adjusted in the BCDR Plan to ensure the organization is ready to efficiently and effectively respond to these events.

Is A-LIGN’s Ransomware Preparedness Assessment Right for My Business?

A-LIGN’s Ransomware Preparedness Assessment is designed for any organization that either wants to test its preparedness for the risk of a cybersecurity event or to determine if its planned response to a cybersecurity event is efficient.

A-LIGN will work with your organization to understand what the goals and intentions are for the use of the assessment to design a clear and well-defined scope.

The Additional Benefits

Undergoing A-LIGN’s Ransomware Preparedness Assessment is one of the most strategic cybersecurity actions an organization can take. Not only can many of the steps conducted as part of the Ransomware Preparedness Assessment be repurposed to help you meet other compliance requirements, but the insights provided around the gaps that exist across the organization inform the Enterprise Risk Management (ERM) strategy. There’s an affinity between business strategy and ERM. By keeping these closely aligned, it creates a stronger and more strategic organization.

Taking a proactive approach to assessing your readiness for cybersecurity threats shows your clients and customers that you take cybersecurity threats seriously and are taking the steps necessary to protect the data and information of your organization and that of your customers.

Mind the Gap

The growing cybersecurity threat landscape has made cybersecurity a requirement for organizations of all sizes and across every industry. The hard truth is that it’s not about if, but when a cybersecurity event will happen, and the financial and reputational harm is very real.

When an event does happen, you want your organization to be prepared to not only recognize it early on, but to have an effective strategy in place to respond to the event and mitigate the associated risks. This includes recognizing where gaps exist in your cybersecurity strategy, including the significant risk associated with your employees.

The Ransomware Preparedness Assessment from A-LIGN ensures your company is ready for an event when it happens.

Can ISO 27701 guarantee GDPR compliance? ISO 27701 can well position any organization for future GDPR compliance.  While one is a management system and the other is a technically a legal framework, ISO 27701 helps to create a path on your journey to GDPR.

In 2019, the International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC) introduced ISO/IEC 27701:2019. This was done to provide organisations with an additional component to stack on top of ISO/IEC 27001. But the availability of the combined adoption of ISO 27001 and 27701 raised a lot of questions in the privacy community. The biggest question: will the combination of ISO 27001 and ISO 27701 equate to GDPR compliance?

In short, the answer is “no,” but it can help you along the way toward GDPR compliance. ISO 27001 and ISO 27701 together offer a way for organisations to bolster information security management systems and become certified in a privacy standard. And though it’s a solid foundation for organisations working on fulfilling GDPR requirements, ISO 27001 and ISO 27701 don’t cover all aspects of the GDPR.

What is ISO 27001 and ISO 27701?

ISO 27001 is a longstanding cybersecurity framework that is used to build an information security management system (ISMS) within an organisation. The security standard was published by the International Organization for Standardization and the International Electrotechnical Commission in 2005, later to be revised in 2013 and 2022, and expansion of ISO 27701 was published in 2019.

ISO 27701 was created as an additional component to complement ISO 27001 that introduced more privacy-specific controls.  With ISO 27701, organisations can create a Privacy Information Management System (PIMS) and become certified in certain privacy practices.  ISO 27701 was created in large part to provide guidance for complying with privacy regulations being introduced across the world, such as the GDPR (General Data Protection Regulation) and the CCPA (the California Consumer Privacy Act).

However, ISO 27701 is not a standalone standard. Rather, the original ISO 27001 information security management system standard serves as a foundational chassis, and organisations can add on additional standards, such as ISO 27701, that work well for the specifics of their business.  By combining ISO 27701 and ISO 27001, organisations can build trust, prepare for privacy regulations, and more.  In addition, many of the elements of ISO 27701 map directly back to aspects of the GDPR.

What is GDPR?

GDPR is a privacy and security regulation that was put into effect worldwide in May 2018. It imposes privacy and security standards on organisations anywhere in the world that intentionally target and process personal data of individuals located in the Union.

GDPR repealed and replaced the former Data Protection Directive (Directive 95/46/EC) and is based on the key principles outlined below:

• Lawfulness, Fairness and Transparency: Data is obtained lawfully, under valid grounds, and not in violation of any other laws. Organisations must be open and honest with individuals about how they plan to use their data, and it cannot be used in a way that is detrimental or misleading to any individuals.
• Purpose Limitation: Data is collected for a specific and legitimate purpose.
• Data Minimisation: Organisations should not collect more personal information than they need from data subjects.
• Accuracy: Every reasonable step must be taken  to erase or rectify data that is inaccurate or incomplete. Individuals have the right to request that inaccurate or incomplete data be erased or rectified within 30 days. Worth noting, this time period can be extended to 60 days if the controller provides notice to the data subject, or if the request is cumbersome.
• Storage Limitation: Data is kept only as long as necessary for the purpose in which it is processed.
• Integrity and Confidentiality (Security): Appropriate security measures must be in place to ensure information isn’t accessed by hackers or accidentally breached.
• Accountability: Controllers and processors of the data can demonstrate compliance with all of the principles above. This specific principle is new to EU data protection standards.

How does ISO 27701 relate to GDPR compliance?

Knowing what we know of ISO 27701 and the GDPR, it’s easy to see how ISO 27701 could be confused as meeting GDPR compliance — especially when you consider how closely the controls tie back to the articles of GDPR.

The difference, however, is that ISO 27701 is a management system and not a regulation. A management system is essentially an outline for an organisation, and it falls on the organisation to follow and adapt the system in a way that makes sense. Management systems are intentionally vague and can’t be used interchangeably with a regulation like the GDPR. By achieving ISO 27701 certification, organisations can cover a lot of pieces from GDPR, but it’s impossible to fully correlate a standard and a regulation.  Noteworthy- regulations that apply to the organisation are listed throughout the audit.

Another fundamental difference between GDPR and ISO 27701 is the ability to carve out your ISO 27701 scope to certain aspects of your business. You can implement ISO 27701’s management system to a particular department or service, for example, the software you provide to clients.

While ISO 27701 does not equal GDPR compliance, it’s a good start.

ISO 27701 helps organizations start the GDPR journey

Once the management system is in place throughout your organisation, it’s possible to expand on that management system to achieve GDPR compliance — with the proper advisory and consulting services.

For organisations seeking an internationally recognised framework, the ISO standards can provide a certification that is scalable to your needs. And in the absence of an official certification for GDPR (which is not yet available), ISO certification can demonstrate your organisation’s commitment to privacy and the maturity of your privacy posture.

With our experience in assessing organisation’s cybersecurity, compliance, and privacy, A-LIGN can provide your organisation with the experience and guidance needed to achieve an ISO certification.

The US-based SOC 2 standard is starting to catch on in European businesses as well as other parts of the world. Although it’s a voluntary American standard, SOC 2 helps to raise cybersecurity maturity and increase business value.

While researching the latest trends and best practices in cybersecurity compliance, you may have seen increasing reference to the SOC 2 (System and Organization Controls) framework.  

SOC 2 examinations were designed by the American Institute of Certified Public Accountants (AICPA) to help organisations ensure the protection of their data and the privacy of their client’s information. A SOC 2 assessment focuses on an organisation’s security controls that are related to overall services, operations, and cybersecurity compliance. SOC 2 examinations can be completed for many organisations of various sizes and across different sectors. 

Although SOC 2 is typically a customer-driven compliance standard published by an American regulatory body, we are seeing a growing number of European organisations undergoing SOC 2 assessments. To help you determine if SOC 2 is right for your business, let’s examine why SOC 2 has started to catch on in Europe and the benefits it brings to non-American companies.  

Why are SOC 2 assessments becoming more popular in Europe?  

The rising use of SOC 2 in the U.S. over the past decade is largely due to the fact that many large companies wanted to be more proactive about their cybersecurity risk management. These organisations began setting forth requirements stipulating that their vendors must have a SOC 2 report ready as part of the due diligence process.  

Over the past two years, a similar chain of events has started to play out in Europe: Increasingly, companies in certain key industry sectors want to review SOC 2 reports so they can determine that organisations along the supply chain have the necessary controls in place to protect the data of all parties involved. One example of this is in Germany with the C5 attestation, which has an over 80% overlap with SOC 2.

There are three primary sectors in Europe (especially within the UK) where there is an increasing demand for SOC 2: banking, insurance, and, most recently, central government. It makes sense that these sectors are some of the first to promote a more wide-ranging approach to cybersecurity compliance since they are among the most regulated fields in the world.  

The rise in popularity of SOC 2 in the U.S., and now, increasingly, in Europe and other parts of the world, has undeniably been driven by the widespread adoption of cloud computing. According to Gartner, most organizations will leverage cloud as a business necessity by 2028.

Let’s explore two key benefits of leveraging SOC 2. 

Moving from ISO 27001 to SOC 2 

Right now, International Information Security Standard 27001 (ISO 27001) serves as the principal cybersecurity standard for much of the world, and is particularly favoured in Europe. However, we are noticing that an increasing number of European companies are embracing SOC 2 in addition to ISO 27001 to demonstrate a higher level of cybersecurity maturity. SOC 2 is even replacing ISO 27001 outright in some vendor contracts.  

ISO 27001 certification is carried out against a strict controls framework that must be applied to the organisation, regardless of the size or sector, and the audit is pass/fail. With a SOC 2 report, the organisation gets to pick the categories of controls that are tested across five Trust Services Criteria (TSC): Security (required), Availability, Confidentiality, Processing Integrity, and Privacy. Ultimately, the independent assessor’s detailed SOC 2 report contains their expert opinion of how well the organisation meets the selected TSC to protect all aspects of its systems.  

The SOC 2 report is more in-depth than an ISO 27001 pass/fail approach. In fact, the end result of a SOC 2 assessment (an extensive attestation report up to 100+ pages in length) tends to give a company’s partners and clients a higher level of assurance about their security posture compared to the end result of an ISO 27001 audit (a one-page certification letter). This is one of the leading reasons why the cybersecurity compliance norm in Europe is beginning to shift.  

The SOC 2 historical lookback window  

SOC 2 assessments can be carried out in one of two ways: 

• A SOC 2 Type I assessment attests to the design and implementation of controls at a single point in time. The assessor reviews evidence from systems in their current state and produces a Type I report.  This is not dissimilar to an ISO 27001 audit. 
• A SOC 2 Type II assessment attests to the design, implementation, and operating effectiveness of controls over a period of time, usually between 3 and 12 months. In a Type II assessment, the assessor provides assurance that controls are not only designed and implemented, but that they have also operated effectively and as intended over the defined period.  

The SOC 2 Type II report shows whether or not an organisation has historically been adhering to the controls they have in place. While a SOC 2 Type II assessment does take longer to complete, it offers an extra layer of trust to a potential customer or partner. A Type II report essentially says, “we didn’t have to scramble to reach this point. We’ve been taking cybersecurity seriously for some time now.” 

Other benefits of a SOC 2 report  

In addition to helping build trust with prospects, customers, and partners, there are other significant business benefits that a European organisation can unlock with SOC 2 compliance. Let’s take a look at a few of the biggest perks that should be considered.  

A more competitive position 

Possessing a SOC 2 report can give your European business a competitive edge over other organisations operating in your space. Not only can this help you increase revenue by closing more deals, but it can also help retain clients who may have otherwise explored a different company with proof of a more mature cybersecurity posture.  

The ability to expand into the U.S.  

As an American cybersecurity framework, SOC 2 adoption has become widespread in the U.S. over the past 10 years. SOC 2 is, in essence, required to do business with most large or well-known U.S.-based companies, even though it is voluntary and not required by law. In much of the same way that GDPR compliance (which is a law) has become key for American companies looking to sell in Europe, SOC 2 is now a unique selling point for European companies that want to expand into the U.S. 

Future-proofing the business  

The truth is that we are only going to see SOC 2 become more prevalent in Europe over the coming years. In addition to the three sectors mentioned above, the manufacturing and logistics sectors are starting to support SOC 2, especially in the UK. The assessment is also gaining traction in other parts of the world. Australia’s Consumer Data Right (CDR), for example, is now active in the country’s banking and energy sectors. The Australian government has acknowledged that SOC 2 reports can be used as a means to achieve CDR accreditation.  

Does your business need SOC 2?   

So, does your business need SOC 2? The short answer is that, if your clients are starting to ask for it, or if you are planning to expand in the U.S., then you should begin planning for SOC 2 without delay. However, even if that’s not the case for your business, you would be well-advised to initiate conversations with stakeholders in your organisation to discuss how SOC 2 could help facilitate future growth.  

Why A-LIGN?

The best way to begin your SOC 2 is to reach out to a reputable, licensed auditor in the U.S. that will help you acquire a clearer understanding of where you need to start and what changes need to be made, as well as potential timelines. To make the entire process as efficient and convenient as possible, it’s also wise to choose a firm that has personnel operating in a European time zone, such as in the UK.

A-LIGN, the #1 SOC 2 issuer in the world, is proud to have 100 Europe-based auditors and more than 500 customers in Europe. A-LIGN is one of a few vendors with local offices and auditors in EMEA and APAC who can offer SOC 2 and other major U.S. cybersecurity frameworks, such as FedRAMP, CMMC and others. We are in a unique position to support companies headquartered in these regions but who also operate in the U.S. market.

Contact us today to get started on your journey to SOC 2 compliance.

It’s no secret that the cybersecurity compliance industry is in the middle of a big shift.

The demand for trusted, high-quality cyber assessments is skyrocketing, and organizations everywhere are looking for easier, more efficient ways to complete their audit cycles and leverage the process for increased security value at the same time. The opportunity for new ideas and innovation in the compliance industry is at an all-time high. 

That’s why today I’m so excited to announce the next phase of our growth, as we welcome the team at Warburg Pincus on our journey. A-LIGN has always been at the forefront of cybersecurity compliance, relentlessly seeking ways to make audits and assessments more efficient while maintaining a high level of quality. The impact that the right strategic partner can have on a business like ours is undeniable. We experienced it over the last few years with FTV Capital – who remains an investor going forward – and we are fortunate to have Warburg Pincus at the table with us now. 

Together, we will continue to innovate and meet the needs of this dynamic market by putting forward a bold vision for A-LIGN over the next few years. We will:  

• Become the premier one-stop provider for fully integrated compliance solutions, from pre-audit readiness to final report. 
• Leverage A-SCEND’s tech-enabled audit management capabilities to help organizations simplify and consolidate efforts.
• Expand our portfolio of cybersecurity assessments and services, including SOC 2, ISO 27001, HITRUST, FedRAMP, CMMC, penetration testing, privacy, and more. 
• Reach more clients across the globe with the same customer-first approach that has always been at the core of A-LIGN’s recipe for success. 

To our clients and partners: we are looking forward to finding new ways to help you navigate the complexities of cybersecurity compliance. This relationship will allow us to do even more for you, delivering new technologies and accelerating the value we can bring to your operations. Rest assured; we’ll continue to be committed to your success, providing the same services at the same level of excellence as we always have. 

And finally, to our employees, or CLIMBERS as we call ourselves: I’m honored to work alongside you and proud of what we have accomplished together. I know you are all in on this adventure, and I appreciate the commitment you make every day to our clients and our team. 

Let’s go climb together – the next mountain awaits! 

Do you know the difference between FISMA and RMF? We’ve got you covered! Learn how FISMA is related to RMF, the certification process, and the benefits to your agency. 

What is FISMA and how are the regulations related to RMF (the Risk Management Framework)?  If your organization pursues federal contracts or works with a federal agency, the sheer number of security compliance certifications can seem overwhelming.  Understanding the frameworks, processes, and benefits of these certifications can seem daunting.  That’s why we’re here to help break down a well-known federal program, the Risk Management Framework (RMF), and the law that outlines the requirements that agencies must meet to achieve compliance, the Federal Information Security Modernization Act (FISMA).

FISMA requires federal agencies to develop, document and implement an agency-wide program to provide security for the information and systems that support the operations and assets of the agency. This includes assets provided or managed by another agency, contractor or other sources.  

After its initial launch, FISMA was amended to include several modifications that modernize federal security practices to address ever-evolving security concerns. These changes resulted in less overall reporting, strengthened the use of continuous monitoring in systems, and increased focus on the agencies for compliance and documentation that is centered on the issues caused by security incidents.  

What is RMF? 

RMF was designed to effectively bring together all of the FISMA-related security standards and guidance to promote the development of comprehensive and balanced information security programs by agencies. According to NIST.gov, the stated goals are as follows: 

• To improve information security 
• To strengthen risk management processes 
• To encourage reciprocity among federal agencies 

More simply put, FISMA establishes the standards and requirements of an agency’s cybersecurity program and RMF helps determine how that program is implemented to meet those standards and requirements.  

What is the RMF Process? 

Essentially, RMF effectively transforms traditional Assessment and Authorization (A&A) programs into a more palatable six-step life cycle process that starts with preparation and consists of: 

1. The categorization of information systems 
2. The selection of security controls 
3. The implementation of security controls 
4. The assessment of security controls 
5. The authorization of information systems 
6. The monitoring of security controls  

RMF has currently been implemented across the major sectors of the federal government, including: 

• Federal “civil” agencies 
• Intelligence Community (IC) agencies 
• Department of Defense (DoD) components 

If your agency falls under these parameters, it’s likely they rely on FISMA and RMF approved standards when it comes to your cybersecurity systems and procedures. 

What are the FISMA Requirements within the RMF Process? 

In order to comply with FISMA, an organization must go through the Assessment and Authorization (A&A) process with a Federal agency. To make this process as simple as possible, a Federal cybersecurity assessment can be divided into four general phases:  

Phase I: Initiation Phase 

• This phase includes preparation, resource identification and system analysis.  
• This ensures that all senior officials are on the same page and agree with the drafted security plan.  
• Testing should be performed before certain actions such as identifying key security officers, conducting an initial risk assessment, or an independent audit.  

Phase II: Security Assessment Phase 

• This phase includes security control Assessment and Authorization (A&A) documentation. 
• Entities must verify that system controls are properly implemented as outlined during the initiation phase.  
• Any discovered deficiencies in security must be corrected.  
• At the end of the certification phase, risks to the agency, its systems and individuals will be obvious—which will allow for a clear decision-making process.  
• When concluding this phase, the Authorizing Official will review any necessary security updates or adjustments.  

Phase III: Security Authorization Phase 

• This phrase includes a decision regarding authorization and documentation.  
• Entities must determine if the remaining risks post-implementation of the security controls from phase 2 are acceptable.  
• The information system owner, information system security officer, and security controls accessor (SCA) provide collaborative information to the authorizing official, who then determines if the final risk level is within the “acceptability of risk” boundary.  
• The goal of this phase is to reach the required authorization to operate.  
• A Federal agency may also issue an interim ATO at their discretion for a variety of reasons.  Under this interim ATO, the agency outlines whatever actions must be completed to become fully authorized.   
• If those actions are not completed by the agreed upon deadline, the Authorizing Official may deny authorization of the system.  
• By the end of this phase, all documentation from phases 1 and 2 must be compiled into a final security authorization package—including an authority to operate decision letter.  

Phase IV: Continuous Monitoring Phase 

• This phase includes system configuration, security management, monitoring and reporting. 
• Maintaining a high level of security through monitoring security controls, documenting any updates and determining if any new vulnerabilities develop is this phase’s focus.  
• Detailed documentation is key, including tracking the current hardware, software or firmware version in use.  
• Officers must also note physical modifications, like new computers or facility access changes.  

The Benefits of FISMA/RMF Compliance 

Although regulatory compliance is often viewed as a complicated undertaking for agencies, FISMA/RMF compliance is a completely different situation. RMF compliance by meeting FISMA requirements translates to heightened readiness for current and future cyber threats, with many benefits: 

• Security: FISMA’s strict criteria and standards can greatly enhance an agency’s cybersecurity systems. Even physical disasters aren’t long-term setbacks—with FISMA’s regulations met, agencies can recover critical data almost instantaneously even after catastrophic damage to the tangible parts of their systems.  
• Reputation Management:  Reputation management and word-of-mouth are an integral part of business management.  The general public is becoming increasingly knowledgeable on cybersecurity issues, such as data privacy, and a data breach could result in a negative outlook on  your agency.  
• Scalability: One of the benefits of FISMA is that it provides different implementation options depending on the levels of potential impact for an organization or individual if there were a security breach. A breach of security could be a loss of confidentiality, integrity, or availability. The three FISMA implementation levels are: low, moderate and high.   
• Understanding the Competition.  In the process of categorizing risks, you will gain a valuable understanding of the marketplace, giving you an advantage over your competitors.  

Achieving RMF Compliance 

For organizations looking to win government contracts, the RMF compliance framework provides clear requirements for the development, documentation and implementation of an information security system for its data and infrastructure.