For nearly two decades, the data economy has hidden behind a “digital curtain” that cloaked organizations’ sometimes dubious practices from lawmakers and the public. It was the wild west, where companies could do whatever they wanted with consumer data. That curtain has since been lifted as a result of consumer mistrust, government regulations, and market forces.  

Privacy is top of mind for consumers and a priority for government. As such, organizations that handle personal data are having to take action to affirm their commitment to data security and comply with a growing set of regulations.  

Government Actions  

For years, organizations made the rules when it came to data privacy. But in the wake of costly data breaches, and sometimes at the behest of consumer advocacy groups, governments are steadily increasing their focus on securing data privacy.  

General Data Protection Regulation (GDPR)  

General Data Protection Regulation (GDPR) is designed to protect the data of European Union residents. It is an update to the outdated Data Protection Directive, enacted in 1995. Unlike the directive, which every EU nation could customize to their own country, the GDPR requires all 27 member states of the EU to comply with the binding regulation. 

The problem with the earlier directive was that it failed to address how data is stored, collected, and transferred in an age where information is increasingly digitized. Simply put, it didn’t keep up with the speed of technological advancement, so new regulation was required. Failing to properly comply with the GDPR can be extremely costly, and some of the world’s most recognized companies have been slapped with hefty fines when they were found to have broken the regulations:   

• Amazon was fined a whopping $877 million for issues related to cookie consent.  
• WhatsApp was slammed with a $255 million fine for failing to properly explain its data processing practices in its privacy notice. 
• Google was hit with a $102 million fine for not making it easier for YouTube users to refuse cookies.  

California Privacy Rights Act (CPRA) 

An evolution of the 2018 California Consumer Privacy Act (CCPA), the new California Privacy Rights Act (CPRA) began as a ballot initiative promoted by the data privacy advocacy group Californians for Consumer Privacy. The group gathered enough signatures to qualify its proposition for a new privacy law on the 2020 ballot. California voters approved Proposition 24, which set the stage for CPRA to become state law. 

The CPRA is a data privacy bill that takes effect on January 1, 2023 and becomes fully enforceable on July 1, 2023. The new CPRA is more comprehensive than the CCPA. It strengthens data privacy rights of California residents, tightens business regulations around the use of personal information (PI), and establishes a new government agency for state-wide data privacy enforcement called the California Privacy Protection Agency (CPPA). 

Inspired by California, Colorado and Virginia have also signed privacy bills into law. More state legislation is expected on the horizon as all but 11 statehouses are discussing bills at some level to govern the use of personal information.   

Personal Information Protection Law (PIPL) 

On August 20, 2021, China passed the Personal Information Protection Law (PIPL) which provides Chinese citizens privacy protections and rights over their personal information. The comprehensive privacy and data protection law took effect on November 1, 2021. 

The legislation comes as China increases regulatory scrutiny on technology companies and other entities handling large troves of sensitive public data. As an example, the government cracked down hard on rideshare company DiDi because it wasn’t satisfied with its data security and privacy practices.  

While some refer to the PIPL as China’s GDPR, the truth is that the PIPL introduces requirements that make it even more stringent than the GDPR. For example, the PIPL allows next of kin to exercise the rights of deceased persons, and it introduces personal liability for some violations. 

How Your Organization Can Achieve and Maintain Industry Compliance 

Organizations working with customer data must be aware of current privacy protection standards and frameworks in order to effectively achieve and maintain compliance. Here’s how. 

ISO 27701 Certification 

ISO 27701 is intended to help organizations protect and control the personally identifiable (PII) information that controllers and processors handle. This international standard streamlines compliance obligations by integrating privacy into an organization’s information security management system. 

Privacy Impact Assessments 

The E-Government Act of 2002 requires agencies to perform privacy impact assessments to evaluate systems that collect PII and determine whether the privacy of that PII is properly secured.  

Data Segmentation 

Data segmentation is the process of grouping data into two or more subsets based on use cases, types of information, and sensitivity of the data. Following segmentation, organizations can create security parameters and authentication rules to limit access to the data to only authorized personnel. For example, covered entities (as defined by HIPAA) and their business associates can apply data segmentation to PHI. 

GDPR Gap Assessment 

Failure to comply with GDPR can result in penalties and significant fines. To help your organization best prepare for GDPR compliance, A-LIGN offers a GDPR Gap Assessment. During this assessment, our auditors review your organization’s current data protection and privacy environment and provide a detailed gap assessment to help your organization achieve compliance.  

Consumer and Market Driven Actions 

Organizations are tasked with responding to changes in the data protection landscape driven by consumer advocates and market forces in a timely (and visible) manner. 

Apple Leads with iOS Privacy Changes 

Last year, Apple’s update to its iPhone operating system gave users the ability to opt out of data harvesters’ ability to track them across the apps they use on their phone. It was a blow to Facebook’s parent company, Meta. The tech company relies heavily on ad targeting and lost $10 billion last year as a result of users opting out, and expects to lose $10 billion more this year. Clearly, consumers want more privacy controls, which explains why Google is following Apple’s lead. The Android operating system maker is giving app developers two years to prepare for the new privacy restrictions. 

Data cooperatives  

Data cooperative refers to the voluntary collaborative pooling of personal data for the benefit of the group or community. After all, why should trillion-dollar Big Data companies be the only ones to benefit from the wealth of information that Big Data provides? Data co-ops give communities of individuals control of their data and negotiating power when it comes to monetization. It also drives common insights for the benefit of the community, such as data about community public health that can be used to address disparities in how healthcare (i.e., vaccines, testing, etc.) is distributed. 

Taking Steps to Achieve Compliance 

Data privacy continues to drive conversations and even the actions of consumers, and governments are responding to calls for regulating how personal data is collected and used.  

Compliance with data protection laws is mandatory, and failure to adhere to evolving legislation will lead to lawsuits and fines. In fact, last year, 27 privacy bills were proposed protecting PII. It will require constant vigilance to stay compliant with all the news laws that emerge. 

A-LIGN can help your organization adhere to regulations and affirm to clients that you take data privacy seriously. As a leading global cybersecurity and compliance firm, we are the industry’s trusted one-stop compliance for all cybersecurity and privacy needs. In addition to offering ISO 27001 + ISO 27701 certification, our services include data protection analysis which can determine whether your organization complies with government regulations including GDPR, CCPA/CPRA, and HIPAA. 

The Cybersecurity Maturity Model Certification (CMMC) program was first introduced in early 2020 as a way to enhance the cyber defenses of companies that are part of the defense industrial base (DIB) sector. While the goal of CMMC remains the same, its structure has undergone significant changes in the past couple years — mostly notably the replacement of the original model with CMMC 2.0 toward the end of last year.  

The Department of Defense (DoD) estimates that CMMC 2.0 won’t be finalized (and thus become a contractual requirement) until sometime between August 2022 and November 2023. However, now is the time to lay the groundwork if you are a DIB contractor or subcontractor that wants to take the most efficient path to certification once it is released.  

The best way to prepare is to ensure compliance with NIST 800-171 since CMMC 2.0 is largely influenced by this special publication’s requirements.  

Follow the DoD Assessment Methodology for NIST 800-171  

If your organization processes Controlled Unclassified Information (CUI) and is currently doing business with the DoD, you are already required to implement NIST 800-171 under Defense Federal Acquisition Regulation Supplement (DFARS) Clause 252.204-7012. Three additional clauses, collectively known as the DFARS Interim Rule, also require you to perform the following actions:   

1. Perform a cybersecurity self-assessment according to the DoD Assessment Methodology, a scoring system that allows the DoD to assess a contractor’s implementation of NIST 800-171.  

2. Submit your score and additional information (system security plan name, description of plan architecture, etc.) through the Supplier Performance Risk System (SPRS).  

Carefully conducting this self-assessment and performing the necessary remediations will give you a good idea of how you will be assessed for CMMC certification. CMMC 2.0 Level 2, the level most DIB organizations will be required to meet certification, essentially mirrors NIST 800-171.  

How Does the Assessment Methodology Work?  

The self-assessment, also known as the “Basic Assessment,” is based on a review of your organization’s System Security Plan (SSP) regarding the covered information system(s). Each element of your organization that is covered by a commercial and government entity (CAGE) code must be tied to the SSP, which is a blueprint of your cybersecurity program.  

To follow the DoD Assessment Methodology, you will score the self-assessment of your SSP on a 110-point scale (with a 110 being a perfect score, indicating that all 110 controls of NIST 800-171 have been successfully implemented). For each control assessed, a statement must be provided in a Security Assessment Report (SAR), a companion document to your SSP. When the statement is provided per control, it will follow one of the below options:  

• If “yes,” a statement must be provided explaining how the requirement has been implemented.  
• If “no,” a statement must be provided explaining why the requirement has not been met, as well as creation of a Plan of Action & Milestones (POA&M) that describes how and when the control will be met.  
• If “partially,” a statement must be provided explaining why the requirement is partially met, plus an additional statement in the POA&M describing how and when it will be fully met.  
• If “does not apply,” a statement must be provided explaining why the requirement does not apply to your environment.  
• If “alternative approach,” a statement must be provided describing your alternative approach and why it is equally effective, as well as how you implemented the requirement.  

The DoD Assessment Methodology uses weighted scoring rules for controls that are not implemented. Since some controls are worth more than one point, a negative score is possible. Once you have calculated your score, you will report it through the SPRS, a portal and database the DoD uses to monitor supplier and product performance information (PI) assessments.  

If your organization is short of the 110 perfect score, you will also submit your POA&M along with the date you forecast it will be fully executed. Note that under CMMC 2.0, the DoD will allow companies to receive contract awards with a POA&M in place. Per the CMMC implementation overview:  

“The Department’s intent is to specify a baseline number of requirements that must be achieved prior to contract award, in order to allow a remaining subset to be addressed in a POA&M within a clearly defined timeline. The Department also intends to specify a small subset of requirements that cannot be on a POA&M in support of achieving a CMMC certification.”  

For many organizations, this is a significant and welcome change, as the original CMMC program did not allow for POA&Ms.  

Study the DoD Assessment Guides for CMMC 2.0  

In addition to following DoD Assessment Methodology for NIST 800-171, I highly recommend that you study the official assessment guides for CMMC. Toward the end of last year, the DoD published two comprehensive guides that explain how contractors will have their networks inspected when CMMC is launched and organizations are pursuing certification. These assessment guides are formatted similarly to NIST 800-171A.  

• The guide for Level 1 details how to assess against the 17 controls associated with this Foundational level. The requirements for Level 1 are primarily the same as they were under CMMC 1.0, except organizations are now able to self-assess.  
• The guide for Level 2 details how to assess against the 110 controls associated with this Advanced level (same controls as NIST 800-171). While most contracts that include Level 2 will require certification from a CMMC Third Party Assessment Organization (C3PAO), the DoD has noted certain programs that “do not involve information critical to national security” will accept self-assessments.  
• The guide for Level 3 is still under development. Only organizations working on the DoD’s most sensitive programs will be expected to achieve Level 3 certification.   

It would also be wise to examine the scoping guidance documents for Levels 1 and 2 of CMMC 2.0. These reference materials are quite concise and will help your organization identify in-scope assets. Scoping guidance for Level 1 explains that only assets that process, transmit, or store Federal Contact Information are considered in scope (these organizations do not handle CUI). Scoping guidance for Level 2 defines the following four categories of assets as in scope:  

• CUI assets which “process, store, or transmit CUI.”  
• Security protection assets which “provide security functions or capabilities within the contractor’s CMMC Assessment Scope.” This includes things like consultants, cloud-based security tools, etc. that may not deal with CUI directly but are still used to meet CMMC requirements.  
• Contractor risk managed assets which “are capable of, but are not intended to, process, store, or transmit CUI because of the security policy, procedures, and practices in place.” These assets must be inventoried, documented in the SSP, and included in system diagrams.  
• Specialized assets which must also be inventoried, documented in the SSP, and included in system diagrams. These include:
  • Government property  
  • Internet of things (IoT) or industrial internet of things (IIoT) devices  
  • Operational technology  
  • Restricted information systems  
  • Test equipment   

Position Your Business for CMMC Success  

While it’s true that the CMMC program has been notoriously delayed and it could take up to another year and half to be finalized, don’t let this lull you into a false sense of security that you have plenty of time to get ready for certification. The DIB organizations that are actively striving toward an SPRS score of 110 will be well positioned to bid on contracts (or be contracted by prime contractors) once the program is officially launched. Those that are not putting in the effort to prepare will likely find a long wait for assistance that can hurt their bottom line.   

To best position your business for CMMC success, I recommend taking the time now to become NIST 800-171 compliant and your organization have completed 90% of the process to becoming CMMC 2.0 certified upon launch. The benefits to earning NIST 800-171 compliance ahead of CMMC, are as follows: 

• Take the time to spread out the resources and cost required rather than undergoing a crash-course to get CMMC ready.  
• Avoid going through the assessment process alongside the many other companies that will be scrambling to become CMMC 2.0 certified upon launch. 
• There will be a limit number of CMMC C3PAOs available and hundreds of companies that will need to be certified. By earning NIST 800-171, you’ll have completed 90% of the process to becoming CMMC certified, making the assessment much easier and faster. 
• If you’re backlogged with the many others trying to complete CMMC, you and your customers will have the peace of mind knowing you are NIST 800-171 compliant. 

Next Steps  

Looking for CMMC guidance that is custom-tailored to your business? You’re in the right place. As one of the first candidate C3PAOs and a top assessor of federal compliance, A-LIGN can perform a CMMC Readiness Assessment by evaluating your organization’s security policies, procedures, and processes against the controls published in NIST 800-171.   

Are you an independent software vendor (ISV) wondering about the applicability of the Federal Risk and Authorization Management Program (FedRAMP) to your product? FedRAMP doesn’t apply directly to ISVs, however there are certain requirements you will need to meet if you have a customer (or several) looking to sell to the Federal government.

Here’s what you need to know about FedRAMP for your organization and the steps you need to take.

Does FedRAMP Apply to Your Organization as an ISV?

FedRAMP does not apply to your organization in the traditional sense. FedRAMP was designed to provide a cost-efficient and risk-based approach to cloud adoption for federal departments and agencies. As such, cloud service providers (CSPs) that wish to sell a commercial cloud service offering (CSO) to a government agency must obtain authorization to operate (ATO) from a government agency or the program’s Joint Authorization Board (JAB). CSPs that achieve ATO status then have their CSO listed on the FedRAMP marketplace and are eligible to do business with government agencies.

However, as an ISV, you cannot obtain ATO nor have products listed in the FedRAMP marketplace because your software is not a cloud-based “as a service” offering. “As a service” offerings include Software as a Service (SaaS), Platform as a Service (PaaS), or Infrastructure as a Service (IaaS).

But this doesn’t mean you’re not subject to FedRAMP requirements. In fact, if your product is incorporated into a CSO (such as a SaaS solution like ServiceNow or Salesforce), then the product is within the authorization boundary of that offering. This means it will have to meet certain control requirements for your CSP customer to be able to earn FedRAMP authorization.

How Can Your Organization Meet Select FedRAMP Control Requirements?

The majority (80-90%) of FedRAMP control requirements related to your organization will be inherited from the underlying PaaS/IaaS (such as Azure or AWS) or will be the responsibility of the CSP customer. For this reason, it is important for your business to use a FedRAMP-authorized PaaS/IaaS to ensure the requirements are fulfilled at those layers because you are responsible for providing controls such as monitoring, endpoint protection, and vulnerability management. The agency can choose to either manage the controls or utilize a managed service provider (MSP).

For the remaining controls that are the responsibility of your business (related to application updates, flaw remediation, database management, etc.), an accredited third-party assessment organization (3PAO), like A-LIGN, can conduct a conservatively scoped assessment that attests to any controls your organization would typically provide to a client, along with how you would protect any federal data and metadata you would receive. The assessment results in a report that can be shared with customers to ensure everyone understands the risk associated with using the product prior to deployment.

This is the best way to ensure your business as an ISV is ready to sell to a CSP seeking government business. It introduces transparency and trust in the ISV. In the end, it is up to the government agency to decide whether or not they are willing to accept the risk associated with the CSP’s CSO and grant ATO status.

What are the Benefits of Using a 3PAO for a FedRAMP ISV Assessment?

Partnering with a 3PAO to assess a scoped-down list of the common controls your organization is expected to fulfill will help ensure that you are ticking all the necessary boxes. Without undergoing such as an assessment, your business as an ISV may unintentionally hinder your CSP clients’ efforts to achieve FedRAMP authorization. Here are some of the benefits of using a 3PAO to perform this conservatively scoped FedRAMP assessment:

• Reduces uncertainty about whether or not the right controls are being met
• Increases transparency and trust between your organization and your CSP customers, and between those customers and the government 
• Ability to re-use the assessment across CSP customers pursuing FedRAMP authorization
• Helps improve your overall security posture and mitigate the risk of a data breach

Work with a Top FedRAMP Assessor

Given the complexity of the cloud security ecosystem and related compliance standards, it’s easy to become confused about the degree to which FedRAMP applies to your organization. Rest assured that your business does not have to achieve full FedRAMP authorization like your CSP customers if they are looking to do business with a government agency. But that doesn’t mean FedRAMP doesn’t apply to your business as an ISV at all. Remember, if you sell to a CSP and your product falls within the authorization boundary of their CSO, there are certain FedRAMP controls you will be required to fulfill. That’s where A-LIGN comes in.

As a top FedRAMP assessor and an experienced 3PAO, our conservatively scoped assessment designed specifically for ISVs will ensure that your business has the necessary controls in place to help your clients earn FedRAMP ATO status.

The Cloud Security Alliance Security, Trust, Assurance, and Risk (CSA STAR) program was established in 2012 as a way to verify and document the security and privacy controls implemented by cloud service providers (CSPs). CSA has seen mounting interest in their STAR certifications and attestations as adoption of cloud technologies continues to rise. Gartner predicts that nearly two-thirds (65.9%) of spending on application software will be directed toward cloud technologies by 2025.

Here’s everything you need to know about CSA STAR, how their certification program works, and why a growing number of CSPs are working toward certification.

What is CSA STAR?

The CSA, the governing body of the STAR program, is a nonprofit organization that is considered a worldwide authority in the area of cloud security research and the advocacy of best practices that support secure cloud computing. CSA designed the STAR program to help CSPs enhance their security assurance in the cloud through “the key principles of transparency, rigorous auditing, and harmonization of standards outlined in the Cloud Controls Matrix (CCM).”

CSA STAR leverages the CSA’s CCM, a framework used to test security and privacy controls (CSPs must adhere to the newest version, CCM v4). Once CSA STAR has been implemented, CSPs can apply to be listed on the official registry, allowing prospects and customers to confirm the security and compliance posture they adhere to.

Achieving a certification through the CSA STAR program effectively helps CSPs reduce the security risks inherent to cloud computing solutions and services, like Software as a Service (SaaS), Platform as a Service (PaaS), and Infrastructure as a Service (IaaS). As CSA Founder and Chairman Dave Cullinane said, “If you have an application exposed to the Internet that will allow people to make money, it will be probed.”

CSPs have two options to choose from when pursuing CSA STAR, each which has its own specific set of requirements.

What is CSA STAR Level 1?

CSA STAR Level 1 is a self-assessment intended for CSPs that operate in a low-risk environment and want to offer greater visibility into the security controls they have in place. Level 1 is a free assessment conducted internally and does not require a third-party firm to complete.

There are two variations of the Level 1 assessment:

• Security Self-Assessment: The CSP submits a completed Consensus Assessment Initiative Questionnaire (CAIQ) to document compliance with the CCM. The security self-assessment only covers security-related controls and must be updated annually.
• GDPR Self-Assessment: The CSP submits a completed Code of Conduct Statement of Adherence and Code of Practice to document compliance with GDPR. The GDPR self-assessment only covers privacy-related controls and must be updated annually.

Both of these self-assessments must also be updated any time there is a change to the CSP’s policies or practices related to the service being assessed. Depending on the CSP’s desire to highlight security and/or privacy controls, they may choose to complete one self-assessment or both.

What is CSA STAR Level 2?

CSA STAR Level 2 is a third-party audit intended for CSPs that operate in a medium- to high-risk environment and want to enhance the controls of another standard or certification the business already follows. Completing both the self-assessment and CAIQ mentioned above are prerequisites for Level 2.

Additionally, Level 2 is not a standalone assessment and there are costs associated. For the third-party audit, the organization must use a certified STAR auditor, such as A-LIGN, to perform one of the following assessments depending on the standard they have already adopted:

• AICPA SOC 2 + CSA STAR Attestation (Most Common) — This attestation includes the SOC 2 Trust Services Criteria and the CCM framework, and must be renewed annually. Type 1 SOC 2 is acceptable for companies undergoing the CSA STAR for the first time, but subsequent submissions must have a review period of no less than six months (12 months for Type 2).
• ISO 27001:2022 + CSA STAR Certification — This certification includes the ISO 27001:2022 requirements and the CCM framework. It must be conducted on an annual basis and submitted to CSA Star to update the registry upon recertification every three years.
• GB/T 22080-2008 + CSA C-STAR Assessment — Intended for CSPs that do business in China, this assessment includes the CCM framework and the Chinese national requirements of GB/T 22080-2008, plus additional controls from GB/T 22239-2008 and GB/Z 28828-2012. It must be completed every three years to maintain compliance.

If you are a CSP interested in pursuing CSA STAR Level 2, consider reading the CSA’s official Code of Practice to gain a better understanding of the steps required to earn a certification or attestation.

What are the benefits of certification?

Described as “the world’s largest and most consequential cloud provider security program,” CSA STAR allows CSPs to show that they take information security very seriously and are willing to take comprehensive measures to reduce the risk of a data breach. At its core, a CSA STAR certification or attestation (Level 2) demonstrates that companies needing to host their data within a cloud computing environment can do so knowing that it is protected using a world-class security framework specifically designed for cloud computing. The certification also:

• Reduces security risk for everyone involved with a CSP: the business, its customers, and other data owners.
• Allows CSPs and their customers to become better aligned on security practices. The transparency inherent to CSA STAR makes it easier for both parties to work together to keep data safe.
• Helps CSPs establish themselves as trusted cloud vendors. The certification is a valuable marketing tool and being listed in the CSA STAR Registry can bring in new business.
• Accelerates the sales cycle in some cases by reducing the work security teams might need to perform to sign new clients or establish new partnerships.

Navigating the Cloud Security Spotlight 

With the adoption of cloud-based technologies only becoming more prevalent, there will undoubtedly be a spotlight on cloud security for years to come. CSA STAR certification offers a tried-and-tested way for CSPs to take their security posture to the next level and reduce the risk of a breach for both themselves and their customers. It is a highly valuable addition to any CSP’s compliance arsenal; for example, we helped PROS achieve CSA STAR certification in addition to SOC 1, SOC 2, SOC 3, ISO 27001, and PCI DSS.

If you are a CSP interested in SOC 2 + CSA STAR Attestation or ISO 27001:2022 + CSA STAR Certification, A-LIGN is a certified CSA STAR auditor that can help your organization take the most efficient path to earning a spot on the official registry.

There are a number of steps that need to take place before an organization can embark on their ISO 27001 certification journey. Perhaps the most important is to determine which certification body to work with. A certification body (CB) is an organization that provides certifications around a chosen standard. They can either be an accredited CB or an unaccredited CB. Although there are admittedly minor differences between the two, the outcome of your ISO/IEC 27001 certification, and how you are able to leverage it, could vary drastically.

In this blog, we’ll explore the different certification bodies, and explain why choosing the right one matters.

What is ISO 27001?

ISO 27001 is a cybersecurity framework established by the International Organization for Standards (ISO), focused on building an information security management system (ISMS) within your organization. An ISMS helps organizations manage the security of all data, ranging from financial information to intellectual property (IP) or other confidential information.

ISO 27001, specifically, is a risk-driven standard that centers on data confidentiality, integrity and availability. Because it’s built around the process of monitoring and improving information security, its intent is to help organizations improve their approach to data security in a more holistic manner.

This is of particular importance for organizations looking to more efficiently reduce risk, optimize operations, and build a culture of information security. In fact, the standard also helps in implementing controls specific to an organization’s unique risks and assets, rather than applying general guidance in a one-size-fits-all approach.

Accredited certification body vs. unaccredited certification body

Accredited certification body

An accredited certification body (CB) must complete an extremely rigorous evaluation process through an accreditation body to ensure the certification audit it conducts is performed in accordance with the audit requirements. The evaluation process reviews the competence of the audit team, the audit methodology used by the certification body, and the quality control procedures in place to ensure both the audit and report are properly completed.

It’s worth noting organizations that use an accredited CB for certification will receive their ISO 27001 certifications with the accreditation body and IAF seal included. This illustrates that the certification body has an accreditation certificate and is  accepted worldwide.

Unaccredited certification body

Unlike an accredited CB, an unaccredited CB is not audited to confirm their compliance with IAF certification audit requirements.

In some cases, it will be critically important for organizations to determine their clients’ expectations. If an organization is pursuing an ISO 27001 certification to meet a client need, they should also confirm if the client requires an accredited certificate or if they will accept a certificate from an unaccredited CB.

The ISO 27001 certification process is a detailed and intensive assessment that requires organizations to illustrate conformance to the standard across seven mandatory clauses and 114 Annex A controls. No organization wants to needlessly go through the process twice by working with an unaccredited CB when a certificate from an accredited CB is required.

ISO 27001 Certification bodies

Certification bodies are accredited to issue ISO/IEC 27001certificates. That said, there are many national accreditation bodies that provide accreditation to CBs for ISO 27001.  Here is a deeper look into a few major players ANAB and UKAS.

ANAB

The ANSI National Accreditation Board (ANAB) is the largest accreditation body in North America, providing services to more than 75 countries. ANAB’s mission is to be a “leader in guiding the international development of accreditation processes that build confidence and value for stakeholders worldwide.” ANAB aims to do this by “providing high quality and reliable accreditation services with the most professional value-added services for customers and end users.”

Obtaining an ANAB accreditation for CBs has a number of benefits, including assurance of competence and reliability, and increased confidence from suppliers, partners and vendors. These result from the regular, impartial, and independent audits conducted by an internationally respected body.

UKAS

The United Kingdom Accreditation Service (UKAS) is the national accreditation body for the UK. Its mission is to instill trust and confidence in the products and services widely used each day.

The benefits for CBs obtaining UKAS accreditation is that UKAS demonstrates the competence, impartiality and performance capability of the evaluators. Basically, UKAS describes themselves as “checking the checkers,” essentially allowing certified organizations to establish a stronger sense of trust around data security with their customers.

Although there are many accreditation bodies located throughout the world, there is little difference among the primary three. This is because all accreditation bodies follow similar processes to identify CBs based on alignment with various checks-and-balances established by organizations like the IAF.

The IAF

The International Accreditation Forum (IAF) serves as the regulator for national accreditation bodies, including ANAB, RvA, and UKAS. Its primary function is to “develop a single worldwide program of conformity assessment which reduces risk for businesses and their customers by assuring them that accredited certificates and validation and verification statements may be relied upon.”

Basically, the IAF oversees the activities of the accreditation bodies to ensure they maintain the required standards when providing accreditation to CBs.

Most accreditation bodies are represented within the IAF and are committed to upholding the trust and validity of accreditation bodies in their efforts to provide certificates to CBs.

How certification bodies obtain and maintain accreditations

Certification bodies undergo a stringent process of annual office and witness audits. Many accreditation bodies will offer numerous training sessions for both individuals and organizations to not only stay educated on evolving standards, but to also maintain accreditations.

The ANAB, for example, offers a variety of training sessions focused on expanding knowledge of certain standards and mandatory documents.

Next steps

With an ISO 27001 certification, your organization can gain significant benefits, including building a culture of information security and diligence, and meeting additional security compliance requirements. And when you leverage an accredited certification body to help you achieve your ISO 27001 certification, your certification creates a stronger sense of trust and acceptance with customers worldwide.

A-LIGN is an ANAB accredited ISO/IEC 27001 certification body that helps organizations meet their ISO certification needs.

Get started by downloading our ISO 27001 checklist.

HIPAA (Health Insurance Portability and Accountability Act) is a federal law requiring organizations to keep patient data confidential and secure. If you are an organization that handles protected health information (PHI), a HIPAA compliance report will demonstrate you have the required safeguards in place to protect patient information.

There are three major components to HIPAA rules and regulations – the Security Rule, Privacy Rule, and Breach Notification Rule. This article will give background information on these three components and provide a checklist you can use when seeking HIPAA compliance.

What is HIPAA Compliance?

HIPAA compliance is a process for covered entities and business associates to protect and secure PHI in a way that complies with the established Privacy, Security, and Breach Notification Rules. Let’s review what information classifies as protected healthcare information and the professions bound by HIPAA regulations.

• PHI is protected healthcare information. This includes items such as paper documents, X-Rays, and prescription information. Electronic protected health information (ePHI) is PHI that includes digital medical records, electronic MRI scans, names, addresses, and dates (birthdays, hospital admission, discharge dates, etc.) stored or transmitted electronically.
• Covered entities are individuals and organizations working in healthcare who have access to PHI. These include doctors, surgeons, nurses, psychologists, dentists, chiropractors, hospitals, clinics, nursing homes, pharmacies, health plans, health insurance companies, HMOs, and company health plans. They frequently work with sensitive health information and are therefore bound by HIPAA regulations. 
• Business associates are individuals and entities that perform activities involving the use or disclosure of protected health information on behalf of, or provide services to, a covered entity. This could include, but is not limited to, lawyers, accountants, administrators, and IT professionals.

Compliance with the HIPAA Security Rule

The HIPAA Security Rule requires covered entities accessing or handling ePHI to follow appropriate technical, physical, and administrative safeguards designed to keep the healthcare data confidential and secure.

• Technical Safeguards refers to the following:
  • Access Controls. Only authorized persons may have access to ePHI.
  • Audit Controls. Records of those accessing ePHI must be kept for auditing.
  • Integrity Controls. Measures must be established to confirm ePHI has not been improperly altered or destroyed.
  • Transmission Security. Security measures must be established to guard against unauthorized access to ePHI transmitted electronically.
• Physical Safeguards refers to the following:
  • Facility Access and Control. Physical access to facilities must be limited to authorized personnel.
  • Workstation and Device Security. Policies and procedures must be established specifying the proper use of and access to workstations and electronic media.
• Administrative Safeguards refers to the following:
  • Security Management Process. Potential risks to ePHI must be identified and analyzed, and security measures implemented to reduce these risks.
  • Security Personnel. The entity must appoint someone from the organization as the designated security official responsible for developing and implementing its security policies and procedures to assure compliance with the Security Rule.
  • Information Access Management. Policies and procedures must be established authorizing access to ePHI only when necessary.
  • Workforce Training and Management. Workforce members handling ePHI must be trained on security policies and procedures, supervised, and sanctioned when they violate these policies and procedures.
  • Evaluation. Periodic assessment must be conducted to evaluate how well security policies and procedures meet the requirements of the Security Rule.

Compliance with the HIPAA Privacy Rule

The Privacy Rule addresses the use and disclosure of PHI by covered entities and outlines an individual’s privacy rights so they can understand their health information and control how it’s used. This rule covers all personal identifiers handled by a covered entity or its business associates in any media (electronic, paper, or spoken word).

With the exception of disclosure of PHI for treatment, payment, or healthcare operations, complying with the Privacy Rule means that PHI is only disclosed when authorization is given by the patient, patient’s legal representative, or decedents, or:

• When required by law
• When in the patient’s or the public’s interest
• To a third-party HIPAA covered entity where a relationship exists between that party

Additionally, the Privacy Rule limits disclosure of PHI to the minimum necessary for the stated purpose.

Compliance with the Breach Notification Rule

The HIPAA Breach Notification Rule requires covered entities and their business associates to provide notification following a breach, or the impermissible use or disclosure of PHI. Patients and the Department of Health and Human Services must be notified of breaches, as well as the media if the breach affects more than 500 patients. Notification must be reasonably prompt and no later than 60 days following discovery of the breach.

Breaches affecting fewer than 500 individuals must be reported to the Office for Civil Rights (OCR) web portal on an annual basis. Breach notifications should include:

• The nature of the PHI and the types of personal identifiers exposed
• The unauthorized person who accessed or used the PHI or, if known, to whom the disclosure was made
• Whether the PHI was acquired or viewed (if known)
• The extent to which the damage or risk of damage has been mitigated

HIPAA Compliance Checklist

Covered entities and business associates can use the following as a guide to help establish or remain in HIPAA compliance.

1. Identify gaps in audits and document deficiencies through a HIPAA gap analysis
2. Create and document remediation plans to address deficiencies found in audits
   • Update and review these remediation plans annually
   • Retain records of documented remediation plans for six years
3. Ensure staff completes HIPAA training
   • Document their training
   • Designate a staff member to be the HIPAA Compliance, Privacy, and/or Security Officer
4. Maintain policies and procedures relevant to the annual HIPAA Privacy, Security, and Breach Notification Rules
   • Ensure staff reads and legally attests to the policies and procedures
   • Maintain documentation of their legal attestation
   • Maintain documentation for annual reviews of the policies and procedures
5. Identify vendors and business associates who may handle PHI
   • Establish agreements with all business associates
   • Assess the HIPAA compliance of business associates
   • Track and review business associate agreements annually
   • Sign confidentiality agreements with non-business associate vendors
6. Define a process for incidents and breaches
   • Ensure you can track and manage the investigations of all incidents
   • Ensure you can provide the required reporting of all breaches or incidents
   • Ensure staff members can report incidents anonymously

A-LIGN Specializes in HIPAA Compliance

The fines for HIPAA violations are imposed per violation category and can be severe, reaching up to $1,500,000 per violation category, per calendar year. Authorities can even file criminal charges in the case of willful neglect.

To ensure your organization remains in good standing, it’s often best to have professional assistance. With over 850 healthcare assessments completed, A-LIGN helps organizations achieve HIPAA compliance from readiness to report. Click to explore our HIPAA services.

Download our HIPAA checklist now!

On February 15, 2022, the International Organization for Standardization (ISO) released an update to ISO/IEC (International Electrotechnical Commission) 27002:2013 under the name ISO/IEC 27002:2022. The release of this new standard has caused a lot of confusion and anxiety within companies, with many under the mistaken impression that they’ll have to undergo a new certification process in order to achieve compliance. This, however, is not true.

In this blog, I’ll shed light on the new standard and explain what ISO 27002:2022 means for your business.

What Is ISO 27002?

Let’s start by clarifying that ISO 27002 should be viewed as more of a manual as it offers extensive guidance on the Annex A controls and best practices an organization should implement to ensure the confidentiality, integrity, and availability (CIA) of assets.

ISO 27001, on the other hand, actually establishes the compliance requirements needed to become certified. This clarification is important, primarily because ISO 27001 has not been updated yet, only its supplemental guidebook ISO 27002 has changed. This is, however, a great time for organizations to implement the best practices found in the revamped guidebook as we expect ISO 27001 will also be updated fairly soon.

Why Was ISO 27002 Updated?

Updates to ISO standards occur periodically. ISO/IEC 27002 has origins that trace back to a 1990’s UK government initiative. It was first a standard developed by the oil company Shell Energy that was donated to the UK and became a British standard in the mid-1990s ISO 27002 was adopted as an ISO standard in the year 2000 and seems to undergo revisions on an eight/nine-year cycle with official updates to ISO 27002 occurring in 2005, 2013, and now in 2022.

This most recent update reimagines the terminology and format of ISO 27002 to make it easier for the layperson to understand. There’s also more focus on cybersecurity and privacy, better aligning the controls to the modern digital era. 

What Are the Major Changes?

While ISO 27002:2022 is an exhaustive guide with numerous changes, there are six changes in particular of which organizations should be aware.

1. Reduced Total Controls

There were previously 114 internal controls listed in ISO 27002:2013. Now, 57 of the controls have been consolidated, leaving just 24 controls to eliminate redundancies. It’s worth noting that while the number of controls has decreased, no controls were excluded, only merged for simplicity. And with the addition of some new controls, the total number now stands at 93.

2. 11 New Controls

The 93 total controls include 11 brand new controls that address:

• Information security for use of cloud services
• ICT readiness for business continuity
• Physical security monitoring
• Configuration management
• Information deletion
• Data masking
• Data leakage prevention
• Monitoring activities
• Web filtering
• Secure coding
• Threat Intelligence

3. Domains Have Become Categories      

Say goodbye to confusing domains and hello to categories. Now, instead of 14 domains, each of the internal controls fall under one or more of the following four categories:

• Organization
• People
• Physical
• Technological

4. “Objectives” Have Become “Purpose”

Don’t expect to find the word “objective” as you would have in previous versions of the standard. Instead, you’ll find each of the controls have an intended “purpose.” This new framing was done intentionally to help organizations better understand the point of the control and its impact on your assets. 

5. New Attributes Tables

ISO created a table of attributes that correspond with each control. The five categories of attributes are as followed:

6. Two New Annexes

Although there’s been a lot of consolidations, additions, and renaming of controls, ISO has made it easy to map the controls back to the 2013 version. With Annex B, users can find a 2022 control and then see with which 2013 control it corresponds. The reverse is true with Annex A, which allows users to first select a 2013 control and find the 2022 control with which it corresponds.

Get Ready for Certification

Although no action needs to be taken today, the updates to ISO 27002:2022 present a great opportunity for organizations to start reviewing and updating their internal controls. Doing so now, ahead of the anticipated ISO 27001 update, will enable organizations to more efficiently implement best practices to achieve compliance in the future. Certification bodies will require a shift once ISO 27001 has been updated but as always, being prepared is key to cybersecurity compliance success!

To expand your knowledge on how to achieve compliance, check out what it takes to get certified in 5 Steps to ISO Certification.

Federal supply chain risk management remains a critical focus as cyber-enabled supply chain attacks continue to evolve in sophistication and frequency. These threats, often used as tools of hybrid warfare, pose significant risks to national security. While the principles of supply chain risk management (SCRM), cyber SCRM (C-SCRM), and federal SCRM share common ground, federal SCRM carries heightened stakes due to its direct implications for the security and resilience of the United States. 

To grasp the ongoing efforts to strengthen federal supply chain risk management, it’s essential to first understand how supply chain risk management is defined within the broader context of cybersecurity.

What is cyber supply chain risk management?

Cyber supply chain risk management (C-SCRM) is the continuous process of identifying, evaluating, and mitigating risks associated with an organization’s IT and software supply chains. It’s a critical, organization-wide effort that extends beyond the IT department, embedding security into the entire risk management framework to protect essential systems and data. 

C-SCRM best practices

The National Institute of Standards and Technology (NIST) provides foundational guidance for C-SCRM. To build a resilient program, organizations should prioritize integrating C-SCRM across all business functions, establishing a formal and dynamic program, and deeply understanding their critical suppliers. Collaboration, continuous monitoring, and comprehensive resilience planning are also essential components of a strong C-SCRM posture. 

Maintaining trustful and transparent relationships with suppliers is crucial, as your security is only as strong as its weakest link. Breaches originating from third parties, and even “fourth parties” (your vendors’ vendors), can dramatically increase the cost and impact of a security incident. 

Strategies for effective C-SCRM 

To navigate today’s complex threat landscape, organizations must adopt more advanced and proactive strategies. 

• Adopt a zero-trust mentality: Operate under the assumption that a breach is inevitable. A zero-trust architecture requires strict verification for every user and device trying to access resources on your network, regardless of whether they are inside or outside the network perimeter. 
• Leverage AI and automation: Use artificial intelligence and automation to enhance continuous monitoring. These technologies can analyze vast amounts of data to detect anomalies, predict potential threats, and automate responses, allowing for faster and more effective risk mitigation. 
• Enhance vendor risk management: Go beyond initial security questionnaires. Clearly define security requirements in all contracts and RFPs, and demand evidence of compliance, such as penetration test reports or security certifications. Implement continuous monitoring to ensure vendors maintain their security controls over time. 
• Create a comprehensive asset inventory: You cannot protect what you do not know you have. Maintain a thorough inventory of all assets — including hardware, software, data, and personnel — and map out where they interact with third parties to identify potential points of failure. 

What is federal supply chain risk management? 

Federal SCRM is the process of mitigating risks within the supply chain that could impact national security. While historically focused on the Department of Defense (DoD) and the Defense Industrial Base (DIB), the scope of federal SCRM has expanded. 

This expansion is a direct response to the increasing sophistication of our nation’s adversaries. These actors exploit supply chain vulnerabilities to infiltrate systems, steal intellectual property, corrupt software, and surveil critical infrastructure, posing a direct threat to U.S. security. 

Key frameworks: NIST 800-171 and CMMC 

To counter these threats, the U.S. government has established specific cybersecurity standards. The National Institute of Standards and Technology (NIST) 800-171 provides a set of security controls for protecting Controlled Unclassified Information (CUI) in nonfederal systems. Federal contractors and subcontractors handling CUI must implement these controls to safeguard sensitive data. 

Building on this foundation, the Cybersecurity Maturity Model Certification (CMMC) program was created to verify that contractors have the necessary protections in place. The self-attestation approach under the old DFARS Interim Rule proved insufficient, leading to the development of CMMC as a more robust verification method. 

CMMC 2.0: The future of federal supply chain risk management 

The Cybersecurity Maturity Model Certification (CMMC) is a framework designed to safeguard Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) within the Defense Industrial Base (DIB). With the release of CMMC 2.0 in October 2024, the framework has been streamlined into three levels of compliance, each tailored to the sensitivity of the information being handled: 

• Level 1 (Foundational): Focuses on basic cybersecurity practices for organizations handling FCI. Compliance is demonstrated through annual self-assessments. 
• Level 2 (Advanced): Designed for organizations managing CUI, this level aligns with the 110 practices outlined in NIST SP 800-171. Critical CUI handlers require third-party assessments every three years. 
• Level 3 (Expert): Reserved for the most sensitive programs, this level incorporates additional requirements from NIST SP 800-172 and mandates direct assessments by the Department of Defense (DoD). 

The publication of the 48 CFR rule has solidified the implementation of CMMC 2.0, outlining a phased rollout for mandatory compliance in new DoD contracts. However, it is crucial to note that contracting officers have the discretion to include CMMC requirements in their contracts ahead of this schedule. Some organizations are already seeing these requirements appear in Requests for Proposals (RFPs). 

The official phased rollout is structured as follows: 

• Phase 1 (Starts November 10, 2025): For the first 12 months after the rule’s effective date, Level 1 and Level 2 self-assessment requirements may be included in applicable solicitations and contracts as a condition of award. 
• Phase 2 (Starts November 10, 2026): Over the next 12 months, Level 2 third-party assessment requirements (C3PAO Certification) will be widely introduced in solicitations and contracts as a condition of award. 
• Phase 3 (Starts November 10, 2027): In this phase, Level 2 C3PAO Certification becomes a requirement for all applicable solicitations and contracts, including the exercising of option periods. Level 3 government-led (DIBCAC) assessment requirements will also be introduced. 
• Phase 4 (Starts November 10, 2028): This marks the full implementation of all CMMC requirements (Level 1, 2, or 3) across all applicable DoD solicitations and contracts, including option periods. 

This shift underscores the DoD’s commitment to mitigating supply chain risks and enhancing the resilience of federal supply chains. Organizations within the DIB must now be prepared to demonstrate their cybersecurity posture through either independent validation or self-assessment, depending on their assigned CMMC level. 

How to prepare for CMMC certification 

1. Determine your organization’s CMMC level. Level 1 is for contractors and subcontractors processing FCI. Level 2 is for organizations processing CUI. Only organizations working on the DoD’s most sensitive programs will be expected to achieve Level 3 certification.   
2. Review the assessment guide for your CMMC level. The CMMC Level 1 Self-Assessment Guide and Level 2 Assessment Guide explain how contractors will be evaluated. Unfortunately, there is not yet an assessment guide for CMMC Level 3.  
3. Work with a tech-enabled organization to secure your data. Cybersecurity solutions like Summit7, Radicl, and CyberSheath can help you secure your FCI and CUI to prepare for CMMC compliance.  
4. Select a C3PAO and complete a readiness assessment. With a limited number of C3PAOs, it is important to start validating your organization’s readiness as soon as possible, as you will need time to remediate any gaps found.  
5. Engage a C3PAO for Level 2 Certification early. If your organization requires a CMMC Level 2 certification, engaging a C3PAO is a critical step. These assessors are already in high demand, and their schedules are filling up quickly. Waiting until the CMMC requirement appears in contracts will likely be too late, as you may face significant delays in finding an available C3PAO to conduct your assessment. 

Work with a top federal assessor 

Federal SCRM is no longer a future concern—it’s a present-day necessity. As the volume and sophistication of global cyberattacks rise, organizations are under increasing pressure to enhance their defenses and gain clear visibility into their supply chains. Third-party risk remains a significant threat, as many businesses unknowingly collaborate with vendors who have inadequate cybersecurity measures, creating vulnerabilities that can be exploited. 

Navigating the complexities of federal compliance requires expertise. Whether you need guidance through the NIST 800-171 assessment process or assistance preparing for your CMMC certification, A-LIGN can help you take the most efficient path to compliance. As an authorized C3PAO with over 1,000 successful federal assessments completed, our team has the experience to help you strengthen your security posture and meet government requirements. 

Since late 2016, organizations have faced a stricter certification process to be granted access to the Death Master File (DMF), a computer database created by the United States’ Social Security Administration from 1962 to present day. The DMF is a protected file that includes information regarding the deceased such as their name, date of birth, date of death, social security number, last known zip code, if their death certification was observed, and other personal identifiable information (PII). For organizations who need to access to the PII of deceased individuals, they will need to certify with the DMF. Generally, in the three-year period following an individual’s death, sensitive information is unable to be released.

There are many challenges organizations can face when seeking DMF certification. Let’s review the certification process, what your organization should prepare for, and the standards against which you can certify.  

What is the DMF certification process?

To access the DMF, an individual or entity must have a legitimate fraud prevention interest or have a legitimate business purpose to a law, government rule, regulation, or fiduciary duty. If an organization qualifies for DMF certification, they will be required to follow the steps below during their assessment process.

Step 1: Testing is conducted against SOC 2 or NIST 800 series standards.

Step 2: Organizations must go to the National Technical Information Service (NTIS) website to pay the required fees and will receive a processing number. Please note, these fees are in addition to those paid to the Accredited Conformity Assessment Body (ACAB) for attestation.

Step 3: Organizations must obtain the FM100A attestation form from the NTIS website and provide your auditing firm with the processing number to complete the attestation.

Step 4: Your auditor files the attestation documentation with NTIS. Your auditor will notify you that your form has been submitted and reaches out only if an issue arises. If all information is correct, NTIS communicates directly with your organization on approval/certification status.

What should my organization prepare for?

Once you achieve DMF certification, it doesn’t stop there. Your organization will need to be prepared for recertifications, unscheduled audits and more. Below is a list of what you can expect in the next several years following your initial DMF certification.

• Annual recertification by the organization seeking access
• Third-party conformity attestation every three years
• Agreement to scheduled and unscheduled audits, conducted by National Technical Information Service (NTIS) or the ACAB at the request of NTIS
• Fines up to $250,000 per year for noncompliance

The entity wishing to access the DMF must submit written attestation from an ACAB to prove that the appropriate systems, facilities and procedures are in place to safeguard information and maintain the confidentiality, security, and appropriate use of the information.

Subscriber certification must be completed annually. The LADMF Systems Safeguards Attestation Form must be completed every three years.

The U.S. Department of Commerce’s National Technical Information Service (NTIS), the governing body behind the DMF, can conduct both scheduled and unscheduled compliance audits and fine organizations up to $250,000 for noncompliance, with even higher penalties for willful violations. Due to the potential for substantial fines, it is important that entities be able to implement the appropriate systems’ facilities and procedures to safeguard the information.

What standards can organizations certify against?

Organizations can achieve certification by testing against standards such as SOC 2, and NIST 800 series publications.

What is SOC 2?

SOC 2 is a reporting standard that provides clients assurance regarding a service organization’s controls that do not affect the clients’ internal controls over financial reporting. This report is intended for use by stakeholders (customers, regulators, business partners, suppliers, directors) of the service organization to have a thorough understanding of the service organization and its internal controls.

What is NIST 800-53?

Published by the National Institute of Standards and Technology (NIST), NIST 800-53 covers the steps in the Risk Management Framework (RMF) that address security control selection for federal information systems in accordance with the security requirements in the Federal Information Processing Standard (FIPS) 200.

Helping You Achieve DMF Certification

A-LIGN is an ACAB that can attest to organizations’ systems and procedures in place. A-LIGN utilizes various published information security standards, mainly the AICPA SOC 2, to satisfy the rule’s audit requirements.

Since 2015, A-LIGN has been working to help our clients meet their DMF audit requirements and has successfully submitted the appropriate attestation forms to NTIS, resulting in certification for our clients. We have extensive experience testing the controls required by LADMF and can guide your organization through the certification process with ease.