As AI governance grows in importance, many organizations are planning for compliance. Our 2025 Compliance Benchmark Report, which gathered insights from over 1000 compliance professionals across various industries, found that 76% of organizations plan to pursue AI compliance soon with a framework like ISO 42001. Although ISO 42001 isn’t yet the definitive standard due to the dynamic nature of AI governance, it offers a comprehensive solution, providing clear guidelines and best practices for AI compliance. By proactively implementing ISO 42001 with an Artificial Intelligence Management System (AIMS), organizations can streamline AI workflows, accountability, decision-making, and risk management.  

Let’s explore the benefits of implementing ISO 42001 this year.

How does ISO 42001 bring value to businesses? 

ISO 42001 drives innovation by providing clear processes for managing risks and documentation, helping teams balance creativity with accountability. It also includes performance monitoring and stakeholder alignment to ensure AI systems meet their goals. By embedding risk management and continuous monitoring throughout the AI lifecycle, ISO 42001 helps identify and mitigate risks early, keeping systems efficient, relevant, and cost-effective. 

Check out our article Understanding ISO 42001 to get a comprehensive overview of the new AI standard.  

The benefits of early adoption  

While waiting to implement an AIMS until regulations and market demands become clearer may seem logical, it actually creates greater risk. Early adoption of ISO 42001 is crucial for staying ahead of new regulations and market expectations. This standard helps organizations align with compliance requirements, build stakeholder trust, and improve operational efficiency. By adopting ISO 42001 early, organizations can mitigate risks, avoid costly delays, and position themselves as leaders in AI governance, driving innovation and competitiveness. 

Let’s dive deeper into these benefits.  

Stay ahead of AI regulations 

Governments and industry bodies are rapidly introducing new AI-related requirements. The EU AI Act now mandates risk management, transparency, and monitoring for high-risk systems. US states are creating laws to mitigate AI risks, while countries like Singapore and China are establishing ethical AI guidelines. ISO 42001 provides a unified framework to adapt to these new regulations while allowing organizations to maintain control over their AI systems. Its focus on trust, transparency, and resilience in AI systems goes well beyond meeting regulatory minimums, making it a highly viable standard. 

Build trust and transparency 

Customers, investors, and partners are expecting AI systems to be fair, reliable, and secure. An AIMS built on ISO 42001 demonstrates trust and accountability through clear communication (Clause 7.4) and transparency (Clause 7.5), building confidence in AI systems and fostering stronger stakeholder relationships.  

Minimize financial risks 

Delaying AI governance can lead to higher costs, with consequences like noncompliance fines, missed market opportunities, rushed implementations, and governance gaps. Early adoption of ISO 42001 allows organizations to protect themselves from penalties and gain a competitive edge as certifications become necessary. Additionally, by acting now, organizations can allocate the necessary time and resources to build an effective AIMS and complete audits properly.  

Boost operational efficiency  

An effective AIMS ensures AI systems operate ethically, predictably, and effectively. ISO 42001 enhances efficiency by identifying and mitigating risks, improving data quality, and enhancing oversight. Its lifecycle monitoring and stakeholder collaboration boost performance and trust, while its structured risk management minimizes disruptions. It’s adaptable to various organizational sizes and AI maturity levels, allowing it to align with innovation goals.  

Strengthen AI governance 

As regulations and market expectations evolve, it’s crucial for organizations to adopt a framework that supports continuous improvement. ISO 42001 integrates seamlessly with standards like ISO 27001 and ISO 27701, creating a unified governance framework for diverse compliance needs. This combined approach enhances data security, ensures traceable data inputs and outputs, and addresses privacy risks, strengthening the AI governance and operational efficiency.  

Building your AIMS now with ISO 42001 ensures readiness for current regulations and future changes, reducing the need for reactive overhauls.   

Debunking common myths 

When considering ISO 42001, organizations often worry about its feasibility, necessity, and impact on operations. We’re here to address these concerns and show how ISO 42001 can be a strategic advantage rather than a burden. 

Myth 1: ISO 42001 is too resource-intensive  

A common concern is that ISO 42001 is too resource-intensive, especially for smaller organizations with limited budgets or staffing. However, ISO 42001 is designed to be adaptable, allowing incremental implementation, focusing first on high-impact areas. The resources invested in building a governance framework are minimal compared to the costs of regulatory penalties, lawsuits, or reputational damage from mismanaged AI systems. By embedding lifecycle monitoring and risk management early, organizations can achieve long-term savings and proactively avoid costly complications. 

Myth 2: Existing compliance makes ISO 42001 redundant 

Some organizations believe existing regulatory compliance efforts like GDPR, NIS2, and DORA, make additional standards like ISO 42001 unnecessary. In reality, ISO 42001 complements these efforts by creating a unified framework that aligns diverse compliance requirements, streamlining implementation. This holistic approach ensures organizations not only meet regulatory minimums but also build trust, transparency, and resilience in their AI systems. ISO 42001 helps organizations adapt to new requirements rather than reacting shortsightedly. 

Myth 3: ISO 42001 will hinder innovation 

There’s a misconception that ISO 42001 will slow down AI development with bureaucratic hurdles. In reality, it’s an innovation enabler. ISO 42001 provides the structure needed to innovate responsibly, ensuring accountability, trust, and scalability. Its flexibility and scalability adapt to organizations of all sizes and AI maturity levels, allowing teams to align quickly with innovation goals. It provides structured risk management and lifecycle monitoring, preventing disruptions from unexpected risks or ethical issues. By building trust with stakeholders, ISO 42001 gives organizations a competitive edge, speeding up the adoption of AI solutions.  

Steps for ISO 42001 implementation in 2025 

1. Understand ISO 42001 and the regulatory landscape. Start by researching current and upcoming AI-related regulations like the EU AI Act, US state legislation, and global standards. It’s important to understand how these regulations impact your business and how ISO 42001 can help you comply. This ensures your AI systems are aligned with legal requirements and ready for future changes. 
2. Determine your scope and develop an implementation plan. Conduct a gap analysis to identify discrepancies between your existing AI governance framework and ISO 42001 requirements. Develop a step-by-step implementation roadmap to address these gaps, prioritizing areas that will have the greatest impact on your business. This streamlines the transition to ISO 42001 compliance. 
3. Define your desired outcomes. Utilize ISO 42001 to clearly define the desired outcomes for your AI systems. Align these with business objectives to ensure governance efforts directly support strategic goals.  
4. Communicate your commitment to responsible AI with stakeholders. Engage with customers, investors, and partners to communicate your commitment to responsible AI governance. Use Clause 7.4 (Communication) and 7.5 (Documented Information) of ISO 42001 to ensure transparency and traceability. 

A-LIGN is at the forefront of ISO 42001 certification and has a team of experts ready to help you navigate the audit process and achieve ISO 42001 compliance. Reach out to us today to get started with ISO 42001 certification for 2025.  

The CMMC Assessment Process (CAP) is the official guide used by C3PAOs (CMMC Third-Party Assessment Organizations) to conduct a CMMC Level 2 certification assessment. C3PAOs use the CAP to make sure the assessment maintains consistency and integrity when an Organization Seeking Certification (OSC) goes through the process of getting certified.  

The Cyber AB recently released the official CAP guide for CMMC Level 2 assessments, so we’re here to break down what you need to know.  

What is the purpose of the CAP? 

The CAP is the procedural guide for C3PAOs conducting a CMMC Level 2 certification assessment. It’s used to ensure the consistency and integrity of CMMC assessments, ensuring C3PAOs and their CMMC Certified Assessors (CCAs) meet Cyber AB requirements.  

While the CAP outlines the process to try to standardize all CMMC assessments, not all C3PAOs are created equal. Check out the CMMC Buyer’s Guide to learn more about choosing a C3PAO and get a list of questions to ask as you’re making your selection.  

The four phases of the CAP 

The CMMC assessment process consists of four phases that cover the steps before, during, and after the actual assessment: 

• Phase 1: Conduct the pre-assessment 

• Phase 2: Assess conformity to security requirements 

• Phase 3: Complete and report assessment results 

• Phase 4: Issue certificate and close out POA&M 

Phase 1: Conduct the pre-assessment 

The pre-assessment phase validates that organizations are prepared for the CMMC Level 2 assessment. This phase ensures that all the required documents, evidence, and resources are in place before starting the formal assessment. The C3PAO will review the System Security Plan (SSP), confirm the scope of the assessment, and assemble the assessment team. The C3PAO will then complete the Pre-Assessment Form, documenting key information such as the organization’s CAGE code, SSP title, contact details, and readiness determination. The goal is to make sure that the organization is fully ready for the assessment.

Phase 2: Assess conformity to security requirements 

In this phase, the CMMC Level 2 assessment takes place, and the implementation of security requirements is evaluated. At the beginning of this phase, the lead CCA will facilitate an “in-brief” meeting, which is a kick-off meeting to align on assessment scope, procedures, and schedule. Then, the real work begins. The C3PAO assessment team will review implementation of security requirements and conduct assessment scoring. Throughout this process, the assessment team will meet every day with the organization to monitor progress, address challenges, and maintain quality and consistency. The goal of this phase is to verify that the organization meets the assessment objectives. 

Phase 3: Complete and report assessment results 

This phase focuses on finalizing and documenting the assessment results. A formal quality assurance review takes place by a CCA outside of the assessment team to check the accuracy and completeness of the results, which are then presented to the organization before being submitted into the CMMC system. This is also when the “out-brief” meeting occurs, where the lead CCA and assessment team present the assessment results briefing. 

Phase 4: Issue certificate and close out POA&M

The fourth phase involves the final steps of the certification process. This is when the organization receives the official CMMC Level 2 certificate. In the case that the organization received a conditional certificate, they will need to address and close out any remaining Plan of Action and Milestones (POA&M) items. Once these items are closed out, the organization will be reassessed by a C3PAO to receive full CMMC Level 2 certification. 

Getting certified in 2025 

Understanding the four phases of the CAP will help ensure a smooth path to certification. At A-LIGN, we specialize in guiding organizations through this process. As an accredited C3PAO with over 1000 federal assessments completed, we are dedicated to being your partner in achieving and maintaining compliance. 

Contact us today to secure your spot in our CMMC certification queue and learn how we can support all your compliance needs.  

As new guidance is released and more organizations begin their journey to become CMMC certified, it’s important to understand the certification process and how it will impact your company. Read on to learn what the guidance means for you, what to look for in a C3PAO, and prepare for your assessment. Follow along and download the guide here.

What is CMMC? 

CMMC stands for Cybersecurity Maturity Model Certification. The program requires all DoD defense contractors to meet cybersecurity controls and be certified by a C3PAO assessment.  

CMMC 2.0 will be mandatory for all entities doing business with the DoD at any level who store, transmit, or process information that meets the standards for FCI or CUI. Prime contractors and their subcontractors will be required to meet one of the three CMMC trust levels and demonstrate that cybersecurity has been sufficiently implemented through the completion of independent validation activities. The initial award or continuance of a DoD contract will be dependent upon CMMC compliance.    

Contractors will only be permitted to receive or share DoD information related to programs and projects if they have completed the CMMC process. At the time that a contractor’s contract is up for renewal, they must be CMMC compliant.

Defining the CMMC journey 

To simplify the CMMC process, we’ve developed a five-step journey that will take your organization from understanding through certification and beyond. 

Understand 

Read the CMMC final rule, understand program requirements, review DoD’s resources, and familiarize yourself with the practices outlined in the model for each of the CMMC levels. 

Identify 

First, you’ll need to identify your CMMC level. Later in this guide, we provide an overview of the levels so you can determine which is most applicable to your organization. 

Based on your level, you must identify the assets in scope for your CMMC assessment. Refer to the Scoping Guidance from DoD for levels 1-3. 

As a part of this step, you should also complete a gap assessment to identify any areas where there are gaps in your compliance. 

Prepare 

To prepare for the assessment, we recommend developing an implementation plan addressing any vulnerabilities found in the gap assessment to ensure compliance to the CMMC standard. 

Complete the necessary documentation to outline your organization’s compliance with the CMMC standard including policies and procedures, and your System Security Plan. 

Prepare for the C3PAO assessment by gathering all evidence needed and preparing for the interview questions that will be a part of your assessment. 

A helpful way to ensure you’re prepared is to have a C3PAO perform a mock audit against applicable CMMC practices. 

Assess 

Now, for level 2 and 3 organizations, your C3PAO will complete the CMMC assessment for certification. 

Following the CyberAB’s CMMC Assessment Process, the C3PAO will review your documentation and complete interviews with your team before putting together the final report. 

If you’ve done the appropriate pre-work, gap assessments, and mock assessments, your team should be well prepared for this step in the process. 

Improve 

After receiving your certification, the work continues. Plan for continuous improvement and ensure you understand the next steps for future assessments. 

Perform annual self-assessments attesting to meeting the CMMC practices for your categorization level.

Assessing your needs 

Now that you understand the steps of the CMMC journey, it’s crucial to evaluate your organization’s readiness and preparation to set a clear roadmap. 

Start by familiarizing yourself with the different CMMC levels and identifying where your organization stands. This is part of the “Identify” step. 

If necessary, consider a partner to help you prepare for the assessment. Later in this guide, we outline the types of CMMC partners available so you can make the best decision for your organization’s needs. Download our CMMC Buyer’s Guide to follow along.

Explaining the CMMC levels 

CMMC 2.0 Level 1 (“Foundational”) requirements  

Level 1 contractors handle Federal Contract Information (FCI) but not CUI. One of the more significant changes from CMMC 1.0 to 2.0 is that Level 1 is now a self-assessment only, placing this responsibility on the organization itself. Level 1 includes the same 15 controls outlined in Federal Acquisition Regulation (FAR) 52.204-21.  

CMMC 2.0 Level 2 (“Advanced”) requirements  

Level 2 contractors are those that handle CUI. Processes at this level are maintained and followed, and there is a comprehensive knowledge of cyber assets. The DoD has pared down the 130 practices in the original CMMC Level 3 baseline to the 110 practices outlined in the National Institute of Standards and Technology (NIST) Special Publication 800-171. “Critical” handlers of CUI will need a third-party assessment by a CMMC Third Party Assessment Organization (C3PAO) for CMMC certification every three years. Level 2 processes must be documented and managed to protect CUI.   

CMMC 2.0 Level 3 (“Expert”) requirements  

Level 3 is for organizations with the highest-priority programs with CUI. The processes involved at this level include continuous improvement across the enterprise and defensive responses performed at machine speed. This level will replace what was formally known as CMMC Level 5. Level 3 will add additional requirements pulled from NIST 800-172 in addition to the Level 2 requirements. It is expected that organizations will be required to be assessed by the DoD directly every three years for Level 3 requirements. 

Preparation and readiness 

Once you understand your CMMC level, preparation for the assessment can begin. Many organizations seek assistance with preparation and readiness before taking the final step of the assessment for certification with a C3PAO. 

There are different types of partner organizations that can help you prepare for CMMC. 

MSSPs and consulting firms  

Managed Security Services Providers (MSSPs) and consulting firms can assist with program development, policy and procedure development, implementation, and ongoing CMMC management.  

RPs & RPOs 

Registered Practitioner Organizations (RPOs) provide CMMC guidance and support to Organizations Seeking Certification in the DIB. Registered Practitioner (RP) is a certification for an individual who can provide CMMC guidance, advice, and support. Many MSPs/MSSPs are also RPOs. 

GRC partners 

Governance, Risk & Compliance (GRC) partners help organizations conduct risk assessments, develop and enforce cybersecurity policies, and provide continuous monitoring. GRC platforms can streamline and automate the preparation process and ensure ongoing compliance. 

Selecting a C3PAO 

What is a C3PAO? 

The Cyber AB authorizes a CMMC Third Party Assessment Organization (C3PAO) to contract and manage CMMC assessments. Only authorized C3PAOs can conduct CMMC assessments. 

Currently, ~60 C3PAOs can assess CMMC and more than 80,000 organizations need assessments. That means early adopters will have their pick of C3PAOs and will be first in line to receive certification. 

A C3PAO will be an essential partner in your CMMC journey, so you must choose an organization that meets your needs. Although the Cyber AB authorizes all C3PAOs, each organization has different strengths and weaknesses. 

Factors to consider when choosing a C3PAO 

Expertise 

Above all, you want to choose a C3PAO experienced in federal compliance, such as FedRAMP, NIST, and StateRAMP. Their deep understanding of the CMMC and NIST 800-171 frameworks ensures they can guide you through the necessary controls and requirements, helping you avoid common pitfalls and ensuring a smoother path to certification. You should consider how long the C3PAO has been in business, the experience of its employees, and its overall knowledge of cybersecurity compliance. 

Quality 

Not all assessment teams and final audit reports are created equal. While some organizations check the box, others go above and beyond to ensure quality at every step. High-quality C3PAOs bring extensive experience and a deep understanding of CMMC requirements, which helps identify and address potential compliance issues effectively. This reduces the risk of failing the assessment and ensures that your organization meets all necessary standards. Additionally, a quality C3PAO provides detailed feedback, helping you improve your cybersecurity posture and maintain compliance over time. 

Efficiency 

Efficiency directly impacts the time and resources required to achieve certification. The CMMC process can be cumbersome to navigate, but some C3PAOs offer technology to help streamline the process. This accelerates the certification process and minimizes disruptions to your operations. Additionally, efficient assessors help ensure that your organization remains aligned with CMMC requirements without incurring unnecessary costs. To further increase efficiency, consider a firm who can tackle additional frameworks such as SOC 2, ISO 27001, and more.   

Timing 

We expect to see CMMC as a requirement in DoD contracts in early 2026, meaning organizations must give themselves ample time to prepare for and complete the assessment. Because CMMC is a new rule, most organizations will need months to prepare the necessary compliance and documentation. Organizations will need 6-12 months of preparation before beginning the assessment. When choosing a C3PAO, timing should be a key consideration, so be sure to ask how soon you can get started and find out your place in the assessment queue. 

Budget 

While some affected organizations are used to budgeting for compliance, CMMC also covers businesses that may not have a compliance program or budget. Budget is an important consideration, but as with most things, you get what you pay for. Beware of budget C3PAOs that are offering assessments for under-market value. When looking at the budget, you should balance it with other factors that are important to you. Are you willing to pay more to expedite your timeline? Is the C3PAO you choose known for quality? Is it worth it to spend more to work with a trusted auditor instead of a brand-new firm? 

Case Study: Network Coverage 

Network Coverage is a managed service provider (MSP) that integrates technology and cloud solutions within business operations to improve productivity and security with as few issues and disruptions as possible. Network Coverage has been proactive in addressing the compliance needs of DoD subcontractors. Anticipating the impact of CMMC and the need for an assessor with federal compliance expertise, Network Coverage adapted from NIST 800-171 to CMMC 2.0 and engaged a reputable C3PAO for their federal compliance expertise. 

A-LIGN’s skilled auditors and responsive team have been instrumental in preparing for CMMC compliance, validating Network Coverage’s control set formally, and enhancing its marketability as a reputable MSP. Network Coverage found A-LIGN’s visibility into control crossover among multiple frameworks, such as SOC 2 and ISO 27001, to be a significant time saver. Network Coverage emphasizes planning, budgeting, and continuous monitoring for CMMC readiness, advising subcontractors to review contracts, conduct needs assessments, and prepare for third-party certification, leveraging A-LIGN’s expertise to streamline the process. 

“We’re seeing urgency around CMMC that we’ve never seen before. Contractors taking the wait-and-see approach need to have these conversations now. If they’re not having the conversations, now is the time to start.” 

-Bridget Wilson, SVP Governance Risk & Compliance 

Checklist: Questions to ask a C3PAO 

Selecting a C3PAO is a vital step of the CMMC assessment process. It will significantly impact the assessment experience and your final report. This checklist outlines key questions to ask a C3PAO to ensure you’re choosing the best fit for your needs. 

• What is your experience with CMMC/NIS 800-171 assessments? 
  • How many CMMC Certified Assessors (CCAs) and (CMMC Certified Professionals) CCPs do you have? 
  • Are your CCAs and CCPs full-time employees or contractors? 

• Does your team have experience with other federal assessments? 
  • How many federal clients do you have? 
  • How many federal audits and assessments have you completed? 

• Does your organization conduct assessments beyond CMMC? 
  • What other federal or non-federal assessments/attestations/certifications does your organization provide? 
  • What efficiencies can we gain by consolidating our audits with a single provider? 

• What can I expect in the assessment process? 
  • What is your team’s standard response time? 
  • Do you utilize technology that drives efficiency and streamlines the audit process? 

• How much will my CMMC assessment cost? 
  • What are your rates, and what do they include? 

• What is the timeline for assessment? 
  • What is the lead time to begin the assessment? 
  • How long do you anticipate the assessment process will take? 

• Do you have references and case studies from satisfied customers? 

Ready to take the next step? Download the guide or contact us to learn more.

The responsibility of implementing and tracking the use of artificial intelligence at any company is growing more important every day as AI usage increases. In fact, in a survey from McKinsey, 65% of respondents say their organizations are regularly using generative AI in at least one business function, nearly doubling the survey’s last results.  

Interested in developing an AI policy for your company? Read on to learn why it’s important and how to get started. Download the template to follow along. 

Why is an AI policy important? 

Beyond serving as a marker to progress with the trends—like 44% of companies who already have an AI policy in place, according to Litter—AI policies also protect your company from potential lawsuits and liabilities. Using AI-based technologies can put sensitive data at risk or inadvertently cause copyright infringement if not used properly. Plus, these policies are a crucial element for AI frameworks and regulations like ISO 42001 and the EU AI Act. 

Who needs an AI policy? 

Deciding whether your company needs an AI policy doesn’t have to be complicated. Consider whether your company fits into one of these groups: 

• Your company or employees are using AI to some degree in their day-to-day 

• Your company is developing technologies that use AI 

• Your company needs to adhere to frameworks and regulations like ISO 42001 and the EU AI Act 

What should an AI policy include? 

Cover your bases. If you’ve developed company-wide policies before, you might have a framework in mind. Regardless, keep these key elements top of mind: 

• The purpose and scope of the policy 

• Alignment with company goals 

• Process for deviations 

• Risk management 

• Monitoring and reporting 

• External communication and transparency 

Your company’s AI policy should be personalized to your company’s current and future usage of AI. Not every policy will look the same. Plus, this isn’t an exhaustive list. You might want to include monitoring and reporting information or required trainings for your company. 

How can I get started? 

For more, download this AI policy template developed by A-LIGN’s expert auditors to help you get started.

Competing priorities, everchanging standards, and a nonstop audit cycle can make tracking and executing audit plans a challenge. Enterprises are now turning to their audit partners to streamline the process and provide strategic plans through a process called audit consolidation. Read on to learn more from A-LIGN’s 2025 Compliance Benchmark Report. 

According to A-LIGN’s survey, 92% of organizations conduct at least two audits or assessments each year, with 58% conducting four or more audits. So, it should come as no surprise that nearly two-thirds of organizations are spending at least three months per year preparing for audits. This reactive, one-off approach likely has some impact on the available resources dedicated to compliance.   

In this blog, we will share some of the benefits of consolidating audits and auditors and some of the best practices to do so.  

What are the benefits of consolidating audits? 

Audit harmonization can reduce complexity and streamline compliance efforts by creating a close partnership between companies and their auditors. Auditors work with clients to create a compliance strategy that not only meets regulatory standards but also enhances customer trust, reduces risk, improves efficiency, and drives additional revenue. 

Additional benefits of consolidating audits include:  

• Consistency across assessments: By consolidating audits, organizations can ensure a consistent approach to completing multiple assessments. This can help to standardize the audit process, reduce the risk of errors or inconsistencies, and provide a more comprehensive view of the organization’s compliance posture.  

• Conducting multiple assessments with one vendor: Consolidating audits enables organizations to conduct multiple assessments with one vendor. This can help streamline the audit process, reduce costs, and improve communication and collaboration between the organization and the vendor.  

• Reduction in duplicate evidence collection: Consolidating audits can also save time in evidence collecting. By consolidating multiple audits into a single event, organizations can more efficiently collect and organize the evidence required for each assessment, all at one time. This reduces the need to collect the same or similar evidence for different assessments throughout the year, reducing the amount of time and resources required to achieve compliance.  

• Time savings: Consolidating audits can also save time for the auditor reviewing the evidence. By consolidating audits, auditors can more easily identify and review evidence that is relevant to multiple assessments, reducing the amount of time required to complete each audit (and the cost associated with their work).  

In addition to consolidating audits, organizations can also streamline compliance by consolidating their audits with a single provider. 

What are the benefits of consolidating auditors? 

Consolidating auditors involves working with a single provider to manage all of audits, instead of hiring multiple auditors across different areas of focus.  

A-LIGN’s research shows that half of organizations might switch audit service providers for more efficient, less time-consuming processes and 45% would do so for cost savings. Consolidating audit service providers could help realize these benefits.   

By consolidating auditors, organizations can realize several advantages, including:  

More efficient and effective audits: Consolidating auditors can reduce the time and resources required to manage multiple vendors. By working with a single provider, organizations can streamline the audit process and reduce the administrative burden of managing multiple auditors.   

Cost savings: Another significant benefit of consolidating auditors is cost savings. By working with a single provider, you can negotiate better rates and reduce the overall cost of your compliance program. Furthermore, consolidated audits reduce the time spent managing the audit process, which can help reduce costs and increase efficiency.  

Improved communication: Consolidating auditors can help improve communication and collaboration between different areas of your organization. By working with a single provider, you can ensure that everyone is on the same page and that all compliance activities are aligned with your organization’s goals.  

Technological advantages: Working with a single provider can ensure that everyone is using the same audit management tools and software, which can minimize the administrative burden and complexity of managing multiple vendors. Furthermore, vendors such as A-LIGN offer proprietary compliance management platforms with powerful features, including automated evidence collection and task management, further reducing the time and effort required to manage compliance assessments.  

Organizations should carefully consider their options when selecting an auditor and ensure that they are working with a provider that can meet their unique needs. It’s important to choose an auditor that has experience in your industry and understands the specific regulations and standards that you must comply with. Additionally, organizations should carefully review the audit methodology and approach used by the provider to ensure that it aligns with their overall compliance goals.  

Want to learn more? Contact us today to learn how A-LIGN can save you time and streamline your audit process.

As artificial intelligence (AI) continues to position itself as an integral part of business operations in 2025, safeguarding AI systems against security threats is essential. Recognizing this need, HITRUST has launched its own AI Security Assessment, offering organizations a robust framework to address the unique challenges of deployed AI technologies.

What is the HITRUST AI Security Assessment?

HITRUST’s AI Cybersecurity Assessment provides a structured approach to evaluate and manage AI-related risks, ensuring secure, transparent, and ethical AI practices for not only healthcare organizations, but for businesses operating across all sectors.

Based on ISO/IEC 23894:2023 and the NIST AI Risk Management Framework, this assessment includes 51 controls for AI governance to ensure comprehensive risk management without disrupting current and ongoing compliance efforts.

Key features of the HITRUST AI Security Assessment include:

1. Curated security controls: Focused on the distinct challenges posed by AI technologies, these controls are specifically designed to address AI-related vulnerabilities.
2. AI-specific threat requirements: The assessment leverages insights from authoritative sources to establish security requirements that counter emerging AI threats.
3. Control inheritance: Organizations can inherit controls from their AI solution providers, streamlining the assessment process and reducing administrative burdens.

The assessment provides a report with strengths and improvement areas, adaptable for various AI stages, supporting self-assessment or HITRUST validation. Certified entities will receive HITRUST e1, i1, or r2 Certification reports and letters, as well as AI Security Certification reports and letters.

Who can get a HITRUST AI Security Assessment?

Although organizations in any industry can conduct a HITRUST AI Security Assessment, there are certain guidelines that must be met to be assessed.

To achieve certification, organizations must meet the following guidelines:

• Be an AI platform and product provider – this excludes AI developers, users and partners
• Achieve HITRUST e1, i1, or r2 certification prior to the AI Security Assessment
• Achieve the following minimum score on applicable assessments:
  • e1 and i1 assessments: 83
  • r2 assessments: 62

Why should organizations pursue a HITRUST AI Security Assessment?

Businesses across all industries are heavily investing in AI as its use expands rapidly. However, AI systems process sensitive data, making them prime targets for cyberattacks.

With new regulations like the EU AI Act, organizations must proactively manage AI risks to ensure compliance and gain a competitive edge as reliance on AI grows.

Ensuring robust security measures is crucial for protecting data integrity, preventing breaches, and maintaining compliance. The HITRUST AI Security Assessment provides a structured framework to address these challenges, fostering trust and resilience in your AI initiatives.

Additionally, organizations using CSF v11.4.0 or newer can now add the “Cybersecurity for AI Systems” compliance factor through the MyCSF platform. This integration, which requires additional report credits and adheres to standard QA reservation protocols for validated reports, seamlessly integrates with existing HITRUST e1, i1, and r2 assessments.

Partnering with A-LIGN for your HITRUST AI cybersecurity needs

A-LIGN provides comprehensive services to guide your organization through the HITRUST AI Security Assessment process, no matter where you are at on your journey.

1. Advisory services: Our readiness assessments identify gaps and prepare your organization to meet HITRUST requirements efficiently.
2. Comprehensive assessments: We conduct HITRUST AI Security Assessments, as well as HITRUST AI Risk Management Assessments, and handle submission to HITRUST for certification, streamlining your compliance journey.
3. End-to-end support: From preparation to certification, we ensure a smooth process, allowing your team to focus on core business activities.

The HITRUST AI Security Assessment helps to safeguard AI technologies against evolving threats. With A-LIGN’s high-quality audit services and unparalleled expertise, you can confidently navigate this process, enhancing your AI security posture and maintaining compliance with global standards.

Contact A-LIGN and one of our compliance experts will be in touch to start your HITRUST AI security journey.

Achieving Cybersecurity Maturity Model Certification (CMMC) is essential for organizations in the Defense Industrial Base (DIB), yet diving into certification without adequate preparation can lead to costly setbacks. Many organizations rush to hire a CMMC Third-Party Assessor Organization (C3PAO) prematurely, often bypassing essential preparatory steps. This post highlights how leveraging a qualified Managed Service Provider (MSP) with Registered Practitioner (RP) status, like CyberSheath, can help organizations prepare for certification with compliance-driven IT and security services. 

CMMC roles and responsibilities: Qualified MSP/RPs and C3PAOs 

To understand the CMMC compliance process, it’s essential to recognize the distinct roles of MSPs, RPs, and C3PAOs: 

• Qualified MSPs with Registered Practitioner (RP) status: Not every RP is equipped to support CMMC compliance with an operational approach, but those that are also MSPs bring a unique advantage. MSPs like CyberSheath, with strong CMMC experience and RP credentials, offer not only advisory support but also the practical, day-to-day compliance services that meet CMMC standards. Unlike RPs who may only advise, an MSP that also functions as a Registered Practitioner operates in alignment with CMMC requirements through compliance-driven IT and security services—supporting clients’ CMMC compliance goals by maintaining continuous operational alignment. 

• C3PAOs: CMMC Third-Party Assessor Organizations (C3PAOs) are authorized by the Cyber Accreditation Body (Cyber-AB) to conduct official CMMC certification audits. C3PAOs must maintain strict separation of duties to ensure an objective audit—they cannot provide advisory or compliance services as this would compromise the independence required for certification. C3PAOs are limited to performing formal CMMC assessments and mock assessments, helping organizations understand what a real audit entails without impacting the certified environment. 

Common pitfalls in CMMC compliance preparation 

Rushing into the certification process without sufficient preparation can lead to costly missteps. Here are some common mistakes to avoid: 

 1. Engaging a C3PAO prematurely 

Hiring a C3PAO before your organization is fully prepared can lead to failed assessments and unnecessary expenses. Organizations sometimes assume they’re ready simply because they’ve implemented certain cybersecurity controls. However, without thorough preparation and understanding of CMMC requirements, critical compliance gaps are often overlooked. This is why many organizations find that working with a qualified MSP/RP like CyberSheath is beneficial, as it allows them to address compliance needs with operational IT and security services before undergoing the formal assessment. 

2. Skipping the gap assessment 

A gap assessment is a foundational step for effective CMMC preparation. While it’s possible to conduct a self-assessment, qualified MSPs with RP status, such as CyberSheath, provide gap assessments that evaluate an organization’s practices against CMMC requirements, identifying critical areas for improvement. MSPs that serve as RPs not only perform assessments but support day-to-day compliance operations, distinguishing themselves from RPs who only advise. This operational involvement enables MSPs to support clients in maintaining the specific security standards necessary for certification. 

3. Underestimating the importance of compliance-focused operational services 

Organizations sometimes overlook the value of compliance-focused operational services in preparing for CMMC certification. A qualified MSP/RP like CyberSheath offers more than advisory support—it provides ongoing compliance IT and security services that are fundamental to daily operations and directly aligned with CMMC requirements. This goes beyond checklist guidance, as MSP/RPs are responsible for helping DIB clients maintain a compliant environment in their routine operations, embedding compliance into every aspect of IT and security. 

4. Blurring the boundaries between compliance services and certification 

Ensuring separation between compliance services and certification is crucial for an unbiased audit. Leveraging a qualified MSP/RP for compliance support ensures readiness without compromising the objectivity of the C3PAO certification process. Once prepared, engaging an independent C3PAO for the official audit not only meets Cyber-AB’s requirements but also ensures a fair, unbiased certification process. 

Preparing for a successful CMMC audit 

To prepare effectively for CMMC certification, follow these steps: 

1. Start with a gap assessment by a qualified MSP/RP: Begin with a comprehensive gap assessment to identify areas of noncompliance. Working with an MSP/RP provides additional insight into how operational compliance can be embedded into daily activities, minimizing the risk of unexpected issues during the formal audit. 

2. Implement compliance-focused operational services: Compliance services offered by an MSP/RP go beyond basic advisory—they encompass IT and security operations that meet CMMC standards day-to-day. This ensures the organization’s environment is consistently aligned with CMMC requirements, making them better prepared for certification. 

3. Begin C3PAO assessment: Due to timing and a backlog of available assessors, it is recommended to contract with a C3PAO early in the audit process. Then, once implementation and remediation are complete, organizations will be ready to begin the certification audit. Remember, CMMC certification is a three-year cycle, and you’ll need to reassess if any significant changes impact your certified environment. 

Rushing into CMMC certification without sufficient preparation can lead to costly delays. By leveraging the operational compliance services of a qualified MSP/RP like CyberSheath, organizations can ensure their environment meets CMMC requirements before engaging a C3PAO for the formal audit. This strategic approach optimizes resources and maximizes the chances of a successful CMMC certification, establishing a compliant foundation for the three-year certification cycle ahead. 

In business, like in sports, achieving greatness isn’t just about recruiting star players – it’s about building a championship team. Bill Belichick didn’t just assemble a roster of talented athletes, he built champions through rigorous training, discipline, and leadership. At A-LIGN, we follow the same principles. We recruit strong professionals and then coach them to become industry leaders that other teams want in their starting lineup. 

Let’s break down our strategy of building a championship team of audit professionals. 

A-LIGN’s talent philosophy 

Championships aren’t won on raw talent alone. A successful team is made up of individuals with different strengths – from grit and intelligence to a team-first attitude – all guided by effective leadership. These qualities don’t come easy, as some are intrinsically present, while others must be cultivated over time. 

A strong talent development program is the foundation for high-caliber teams. There’s a direct correlation between a team’s effectiveness and its win-loss record, or in our case, the growth of our clients and A-LIGN. With company performance expectations trending higher than ever, it’s no longer enough to simply offer training and development programs. An organization’s game plan must include a talent development strategy that makes its way into every facet of its culture. 

Developing championship talent 

How do organizations stay competitive and maintain a deep bench of talent? By treating talent development like a long-term contract and investing in their future. Just like a winning team trains every player to not only perform at their peak but to lead, innovate, and deliver results, businesses must do the same. 

Technical training programs 

A-LIGN’s technical training programs are designed to develop well-rounded professionals by combining technical expertise with strong leadership skills. Our technical programs are essential for providing a comprehensive overview of the audit lifecycle, enhancing auditors’ technical expertise in regulatory and third-party standards, and integrating real project-related examples into the curriculum. 

These programs allow employees to practice applying technical concepts in meaningful ways, fostering a deeper understanding of their work. By making these learning experiences a core part of our culture, we encourage continuous growth and collaboration, ensuring that our team stays at the forefront of industry standards and innovations.  

Leadership and development curriculum 

Our leadership and development programs teach everything from leader identity, effective communication, emotional intelligence, and successful feedback, to developing strategy and vision.  As with all successful teams, there are coaches who support the players in real time whether in practice or on the field.  At A-LIGN, we have a full-time internal leadership coach who focuses on providing feedback and skill development for employees at every level.  

With the help of our leadership, manager, and player coaches, our professionals are in a continuous growth model. Being technically strong is essential, but the true MVPs are those with the skills to lead their team, adapt on the fly, and make tough decisions when the game is on the line.  

Investing in our industry’s future 

This level of investment in our people comes at a price. When you develop top talent, others take notice and want to recruit your players to join their team. We believe this is a sign of strength – we’ve recruited, grown, and developed the best in the industry. 

Our auditors, trained and tested through A-LIGN’s programs, often get recruited for key leadership roles at other organizations. When they move on, they carry our standards, our values, and our commitment to quality into the broader field. It’s at times like these, that A-LIGN’s coaching tree ensures that generations of auditors, managers, and directors are developed, and maintaining a deep bench for seamless, high-quality service delivery.  

We’re not just building great security and compliance professionals; we are actively investing in the advancement of the industry. Every professional who has been through our system continues to raise the bar wherever they go.   

We welcome this challenge because we’re not just in it to win for ourselves. We’re here to elevate the game for the entire cybersecurity compliance industry. As we continue to recruit, train, and develop top talent we know that our legacy extends far beyond our locker room. 

On October 15, 2024, the Department of Defense (DoD) published the final 32 CFR rule for CMMC 2.0 in the federal register. The long-awaited rule outlines the requirements for defense contractors and subcontractors, defines the levels and assessment types, outlines responsibilities for CMMC third-party assessment organizations (C3PAOs), and sets the implementation timeline. 

Now that the CMMC program rule is finalized, here are the key takeaways you need to know. 

Notable updates on CMMC final rule 

Draft versions of the CMMC rule have circulated for months, providing strong indicators of the direction of the program. But, as expected, there are a few notable changes and updates in the final rule. 

Program timeline 

The effective date for CMMC is December 16, 2024. This is the date when the CMMC program will be live and operating. However, C3PAOs cannot begin certification assessments for organizations seeking Level 2 certification until January 2, 2025. 

Organizations are still waiting for an additional rule, the 48 CFR rule, to be published, which will add CMMC certification as requirement in DoD contracts. That rule is expected to be published in Q2 2025.  

Organizations that get certified ahead of upcoming contractual requirements will be set to meet those requirements without delay. This is one of the many reasons we encourage organizations to get in the queue for certification as soon as possible. 

External service provider applicability 

The biggest difference between the proposed and final rule has to do with external service provider (ESP) certification. In earlier versions of the proposed rule, ESPs, such as managed service providers (MSPs) were required to obtain CMMC certification. Under the final rule, it is not required for ESPs to obtain their own certification. 

However, it is still highly encouraged that ESPs should pursue CMMC certification. If ESPs decide to not pursue CMMC certification, then their assets will be in scope of their client’s assessments by a C3PAO. This means that ESPs could negatively impact their clients’ timelines by adding additional hurdles to review assets. Therefore, it is highly encouraged that ESPs get CMMC certified in order to streamline the process – which many of them were planning to do before the final rule was published. 

Assessment staffing 

The final rule includes an important update on staffing. The CyberAB, the accreditation body behind CMMC certification, has a program for training and certifying the individuals conducting CMMC assessments. There are two levels, certified CMMC professional (CCP) and certified CMMC assessor (CCA). 

The CMMC final rule outlines that three CCAs must be involved in each assessment. Two CCAs will be required on the assessment team and one CCA will be a part of QA review. 

This mandate for trained and certified professionals to conduct CMMC assessments will help to set a standard for excellence. However, it may create challenges for smaller C3PAOs with limited staff resources, resulting in longer wait times for assessments. 

Requirements for CMMC level 2 compliance 

The majority of organizations affected by CMMC will fall into level 2. The final rule defines the requirements for level 2: 

• If you store, transmit, or process Controlled Unclassified Information (CUI), then you will need to obtain Level 2 Certification via assessment from a C3PAO 

• Organizations Seeking Certification (OSCs) will need to implement the 110 practices outlined in NIST 800-171 and meet all 320 practice objectives 

• While the DoD contract requirement rollout will begin likely in 2026, it is possible for primes to begin placing CMMC requirements to their subs before then 

Get started with CMMC now 

If you haven’t gotten started on your plan for CMMC compliance, now is the time to start. Once CMMC requirements show up in DoD contracts, if you are not CMMC certified, you risk being left out of the defense contractor ecosystem. 

A-LIGN is a globally recognized cybersecurity and privacy compliance provider that offers a single-provider approach for organizations. With more than 1,000 federal assessments completed, A-LIGN is an accredited C3PAO and FedRAMP 3PAO with extensive experience across NIST frameworks.   

Contact us today to secure your spot in line.