The Role of IT Decision Makers in StateRAMP Compliance

The journey towards StateRAMP compliance is complex, with IT decision-makers at the strategic forefront. ITDMs are responsible for an organization’s infrastructure, including security and regulations, guiding their organizations through the nuances of the compliance process.  While working with a framework like StateRAMP, these decision-makers will inevitably have to take leading roles in guiding company culture… Read More

FedRAMP and Evolving Requirements for MSPs and SaaS Providers

The FedRAMP OMB has recently released a memorandum on modernizing the standard to address new realities in digital technology.  This shift reflects the increasing reliance on Software-as-a-Service (SaaS) and the strategic roles of Managed Service Providers (MSPs) in the federal, as well as the impact of new technologies like artificial intelligence. This article aims to… Read More

Implementing SOC 2 Requirements for Cloud Environments

SOC 2 compliance provides a structured approach to ensuring data security, availability, and processing integrity, among other aspects. This article will dive into the specifics of SOC 2 and its impact on cloud security, shedding light on the technical controls, best practices, and the vital role of third-party attestations in bolstering trust between service providers… Read More

CMMC 2.0 and Level 2 Maturity

CMMC 2.0, while retaining the foundational principles of its predecessor, introduces refined maturity levels, each delineating a progressive enhancement in cybersecurity practices and protocols. Transitioning from Maturity Level 1 to Level 2 is not just about adding additional requirements to an organization. It’s about committing to security strategies to protect critical Controlled Unclassified Information (CUI). … Read More

What Is ISO 9001

ISO 9001 is a universally recognized standard that provides a framework for organizations to establish, implement, and refine their quality management systems. Rooted in principles that prioritize customer satisfaction, leadership involvement, and a continuous improvement ethos, ISO 9001 offers a structured approach to achieving excellence in operational processes.  This article delves into the intricacies of… Read More

CCPA and CPRA Attestations and Audits

The California Consumer Privacy Act (CCPA)  is a strict set of rules for companies in California, defining what these organizations must do to protect consumer privacy. Although the CCPA does not require formal audits, the upcoming CPRA expansion will call for these practices, particularly in consumer protection and privacy areas. As concerns about data privacy… Read More

Complying with GDPR Requirements and the Europrivacy Certification Mechanism

GDPR certification is quickly becoming a topic of concern for enterprise businesses worldwide. With news of Meta’s record-breaking $1.3B fine from the European Union, companies are learning that data privacy and compliance in the EU is no joke. This article will dig into GDPR to discuss how organizations can approach their security and privacy with best… Read More

What Is FINRA and How Does it Handle Cybersecurity?

It has become increasingly important for financial institutions to adopt robust security measures to safeguard their client’s assets and personal data. To address this challenge, FINDA has established a comprehensive set of rules to enhance its member firms’ cybersecurity posture. However, there isn’t a set-in-stone framework for specific security measures. Instead, FINRA consists of obligations… Read More

Maintaining HIPAA Compliance with IoT Devices

In previous blog posts, we’ve discussed the role of technology and HIPAA (related explicitly to HITECH regulations). However, the growth of intelligent devices and the Internet of Things (IoT) has led to a sea change in how Covered Entities (CEs) and Business Associates (BAs) manage their patients. Likewise, it adds new wrinkles to how these… Read More

What is the Structure of a SOC 2 Report?

Understanding the structure of a SOC 2 report is essential for both businesses and service providers who are thinking ahead to their audit and attestation. It will serve as the “story” of an organization’s SOC 2 journey, covering the evaluation of their adherence to the Trust Services Criteria (TSC)–security, availability, processing integrity, confidentiality, and privacy. … Read More

What Information Is Included in a FedRAMP System Assessment Report (SAR)?

The Federal Risk and Authorization Management Program (FedRAMP) is a security assessment and authorization program for cloud services used by the federal government. It is designed to ensure that cloud services meet the federal government’s security requirements, and that sensitive government data remains protected. A critical component of the FedRAMP security authorization process is the… Read More

StateRAMP, Subnetworks, and Boundary Security

StateRAMP guidelines include network security standards from NIST 800-53, with specific requirements for implementing those guidelines based on the application and data processing. Implementing boundary controls is one of the more relevant and sometimes challenging aspects of compliance network security. Here, we will dig into how StateRAMP (and FedRAMP, to some extent) approach subnetworks and… Read More

What Is StateRAMP Fast Track?

Much hay has been made about how cloud providers can take advantage of the new StateRAMP program. Only a few years into operations, there are already questions about how governments and cloud providers can leverage the requirements to bring top-tier cybersecurity to a local level. One of these questions involves the adoption of StateRAMP standards… Read More

What Is the Threat-Based Risk Profiling Methodology in FedRAMP?

In February 2022, the FedRAMP Program Management Office updated the rules for their threat-based profiling methodology. This little-known approach to FedRAMP risk profiling and the rating security controls serves as the program’s effort to streamline authorization and program management with industry knowledge and agile development methodologies. 

FedRAMP and FIPS-Defined Impact Levels

One of the foundational pieces of information that a cloud provider needs to know when preparing for their FedRAMP Authorization is the required Impact Level. These levels aren’t generic labels applied by agencies to highlight the importance of their data–they are clearly-defined categories laid out by the National Institute of Standards and Technology (NIST) to… Read More

StateRAMP and Authentication: What You Need to Know

Providers looking into StateRAMP authentication standards may find themselves staring into a stack of requirements documents across multiple security frameworks and government contexts. Not only is this unhelpful for these providers, but it also makes the process sound much more intimidating than it needs to be. In this article, we’ll take a high-level view of… Read More

What Is FedRAMP Connect?

There are two clear paths through FedRAMP Authorization–the agency path and the much less-common Joint Authorization Board (JAB) path. While much more rigorous, this second course opens up several critical doors for cloud offerings that provide real and significant value to various federal agencies. However, the JAB path is exclusive and requires that cloud service… Read More

What Is FedRAMP JAB Provisional Authorization?

Last week, we discussed the process for Agency Authorization under FedRAMP guidelines. This route is, by far, the most common form of Authorization and one that most cloud providers will engage with. However, there are several use cases where a provider may seek more rigorous assessment to better open doors to serve with agencies across… Read More

What Is the FedRAMP Agency Authorization Process?

As cloud service providers pursue their FedRAMP authorization process, they face a significant choice stemming from their ultimate goals in the federal space. This decision is based on how they are pursuing their working relationships with federal agencies and how well the provider is prepared for the rigorous FedRAMP assessment process. When a provider enters… Read More

StateRAMP Requirements for Vulnerability Scanning

Ongoing maintenance and upkeep are a cornerstone of all cybersecurity regulations and frameworks. And for a good reason. The rapidly changing threat landscape that businesses and government agencies face daily necessitates an ever-vigilant approach to cybersecurity. Vulnerability scanning is an important part of compliance and security across almost every data-driven industry. Here, we’re discussing what StateRAMP… Read More

ISO 17065 and the Standard for Certification Bodies

There is no substitute for a competent and impartial auditor in terms of compliance, security, and correct operations. Organizations that can assess and certify technologies and organizations are essential for ensuring accountability and standards of excellence in place, applying to systems that store sensitive data. To modify a common saying, “who watches the auditors?” That’s… Read More