The journey towards StateRAMP compliance is complex, with IT decision-makers at the strategic forefront. ITDMs are responsible for an organization’s infrastructure, including security and regulations, guiding their organizations through the nuances of the compliance process. While working with a framework like StateRAMP, these decision-makers will inevitably have to take leading roles in guiding company culture… Read More
FedRAMP and Evolving Requirements for MSPs and SaaS Providers
The FedRAMP OMB has recently released a memorandum on modernizing the standard to address new realities in digital technology. This shift reflects the increasing reliance on Software-as-a-Service (SaaS) and the strategic roles of Managed Service Providers (MSPs) in the federal, as well as the impact of new technologies like artificial intelligence. This article aims to… Read More
Implementing SOC 2 Requirements for Cloud Environments
SOC 2 compliance provides a structured approach to ensuring data security, availability, and processing integrity, among other aspects. This article will dive into the specifics of SOC 2 and its impact on cloud security, shedding light on the technical controls, best practices, and the vital role of third-party attestations in bolstering trust between service providers… Read More
CMMC 2.0 and Level 2 Maturity
CMMC 2.0, while retaining the foundational principles of its predecessor, introduces refined maturity levels, each delineating a progressive enhancement in cybersecurity practices and protocols. Transitioning from Maturity Level 1 to Level 2 is not just about adding additional requirements to an organization. It’s about committing to security strategies to protect critical Controlled Unclassified Information (CUI). … Read More
What Is ISO 9001
ISO 9001 is a universally recognized standard that provides a framework for organizations to establish, implement, and refine their quality management systems. Rooted in principles that prioritize customer satisfaction, leadership involvement, and a continuous improvement ethos, ISO 9001 offers a structured approach to achieving excellence in operational processes. This article delves into the intricacies of… Read More
CCPA and CPRA Attestations and Audits
The California Consumer Privacy Act (CCPA) is a strict set of rules for companies in California, defining what these organizations must do to protect consumer privacy. Although the CCPA does not require formal audits, the upcoming CPRA expansion will call for these practices, particularly in consumer protection and privacy areas. As concerns about data privacy… Read More
Complying with GDPR Requirements and the Europrivacy Certification Mechanism
GDPR certification is quickly becoming a topic of concern for enterprise businesses worldwide. With news of Meta’s record-breaking $1.3B fine from the European Union, companies are learning that data privacy and compliance in the EU is no joke. This article will dig into GDPR to discuss how organizations can approach their security and privacy with best… Read More
What Is FINRA and How Does it Handle Cybersecurity?
It has become increasingly important for financial institutions to adopt robust security measures to safeguard their client’s assets and personal data. To address this challenge, FINDA has established a comprehensive set of rules to enhance its member firms’ cybersecurity posture. However, there isn’t a set-in-stone framework for specific security measures. Instead, FINRA consists of obligations… Read More
Maintaining HIPAA Compliance with IoT Devices
In previous blog posts, we’ve discussed the role of technology and HIPAA (related explicitly to HITECH regulations). However, the growth of intelligent devices and the Internet of Things (IoT) has led to a sea change in how Covered Entities (CEs) and Business Associates (BAs) manage their patients. Likewise, it adds new wrinkles to how these… Read More
What is the Structure of a SOC 2 Report?
Understanding the structure of a SOC 2 report is essential for both businesses and service providers who are thinking ahead to their audit and attestation. It will serve as the “story” of an organization’s SOC 2 journey, covering the evaluation of their adherence to the Trust Services Criteria (TSC)–security, availability, processing integrity, confidentiality, and privacy. … Read More
What Information Is Included in a FedRAMP System Assessment Report (SAR)?
The Federal Risk and Authorization Management Program (FedRAMP) is a security assessment and authorization program for cloud services used by the federal government. It is designed to ensure that cloud services meet the federal government’s security requirements, and that sensitive government data remains protected. A critical component of the FedRAMP security authorization process is the… Read More
StateRAMP, Subnetworks, and Boundary Security
StateRAMP guidelines include network security standards from NIST 800-53, with specific requirements for implementing those guidelines based on the application and data processing. Implementing boundary controls is one of the more relevant and sometimes challenging aspects of compliance network security. Here, we will dig into how StateRAMP (and FedRAMP, to some extent) approach subnetworks and… Read More
StateRAMP and Incident Response: What You Need to Know
In the unfortunate event that a breach occurs, organizations must have a plan in place to respond and recover. StateRAMP borrows requirements from FedRAMP and NIST 800-53 to define how exactly state and local governments can implement incident response into their overall security infrastructure.
What Is StateRAMP Fast Track?
Much hay has been made about how cloud providers can take advantage of the new StateRAMP program. Only a few years into operations, there are already questions about how governments and cloud providers can leverage the requirements to bring top-tier cybersecurity to a local level. One of these questions involves the adoption of StateRAMP standards… Read More
What Is the Threat-Based Risk Profiling Methodology in FedRAMP?
In February 2022, the FedRAMP Program Management Office updated the rules for their threat-based profiling methodology. This little-known approach to FedRAMP risk profiling and the rating security controls serves as the program’s effort to streamline authorization and program management with industry knowledge and agile development methodologies.
Reusing FedRAMP Cloud Products
The cloud service ecosystem for FedRAMP authorization has been growing year over year, as has the demand for the reuse of cloud products across agencies. To facilitate cloud product adoption across different agencies without compromising security and usability, FedRAMP provides a quick process to help reuse these services.
FedRAMP and FIPS-Defined Impact Levels
One of the foundational pieces of information that a cloud provider needs to know when preparing for their FedRAMP Authorization is the required Impact Level. These levels aren’t generic labels applied by agencies to highlight the importance of their data–they are clearly-defined categories laid out by the National Institute of Standards and Technology (NIST) to… Read More
StateRAMP and Authentication: What You Need to Know
Providers looking into StateRAMP authentication standards may find themselves staring into a stack of requirements documents across multiple security frameworks and government contexts. Not only is this unhelpful for these providers, but it also makes the process sound much more intimidating than it needs to be. In this article, we’ll take a high-level view of… Read More
FedRAMP and Risk Management
FedRAMP Authorization is a complicated undertaking due in no small part to the layers of requirements that cloud offerings must meet throughout the process. As part of the government’s turn to more comprehensive security, FedRAMP requirements include significant risk management standards that all providers must meet.
What Is FedRAMP Connect?
There are two clear paths through FedRAMP Authorization–the agency path and the much less-common Joint Authorization Board (JAB) path. While much more rigorous, this second course opens up several critical doors for cloud offerings that provide real and significant value to various federal agencies. However, the JAB path is exclusive and requires that cloud service… Read More
What Is FedRAMP JAB Provisional Authorization?
Last week, we discussed the process for Agency Authorization under FedRAMP guidelines. This route is, by far, the most common form of Authorization and one that most cloud providers will engage with. However, there are several use cases where a provider may seek more rigorous assessment to better open doors to serve with agencies across… Read More
What Is the FedRAMP Agency Authorization Process?
As cloud service providers pursue their FedRAMP authorization process, they face a significant choice stemming from their ultimate goals in the federal space. This decision is based on how they are pursuing their working relationships with federal agencies and how well the provider is prepared for the rigorous FedRAMP assessment process. When a provider enters… Read More
StateRAMP Requirements for Vulnerability Scanning
Ongoing maintenance and upkeep are a cornerstone of all cybersecurity regulations and frameworks. And for a good reason. The rapidly changing threat landscape that businesses and government agencies face daily necessitates an ever-vigilant approach to cybersecurity. Vulnerability scanning is an important part of compliance and security across almost every data-driven industry. Here, we’re discussing what StateRAMP… Read More
ISO 17065 and the Standard for Certification Bodies
There is no substitute for a competent and impartial auditor in terms of compliance, security, and correct operations. Organizations that can assess and certify technologies and organizations are essential for ensuring accountability and standards of excellence in place, applying to systems that store sensitive data. To modify a common saying, “who watches the auditors?” That’s… Read More