The payments industry is going through a significant evolution, one that started to gain momentum over the past few decades. Preferred payment methodologies changed drastically from check to credit card to digital payment, which ultimately raised the importance of payment security. Needless to say, achieving compliance with PCI DSS industry requirements is critical to the success of an organization and critical in helping that organization maintain trust with their partners and customers.

When gaps are discovered in a PCI DSS assessment, what does an organization do? What steps does it need to follow to achieve compliance? And how are organizations monitored to ensure the gaps are effectively addressed?

The short answer: compensating controls. Compensating controls is what we see most organizations leverage to address control gaps during an assessment. Compensating controls, however, lack transparency. After all, there are no guidelines or requirements for an organization to disclose specifics around any gaps within the attestation or that would  clearly indicate an organization leveraged compensating controls as a corrective measure.

This is one of the primary reasons we believe a shift is coming to the payments industry, and the future of the industry is one that will be rooted in transparency and accountability.

To understand the impact this potential change will have, let’s explore how organizations have historically leveraged compensating controls and how increasing transparency has the potential to change the industry for the better.

What Are Compensating Controls?

The PCI Council explains compensating controls “may be considered when an entity cannot meet a requirement explicitly as stated due to legitimate technical or documented business constraints, but has sufficiently mitigated the risk associated with the requirement through implementation of other controls.”

Basically, compensating controls currently provide organizations with an alternate way to achieve industry requirements when they are otherwise unable to do so. Compensating controls are great, in theory, given they allow organizations some flexibility to address legitimate constraints they might have preventing their ability to meet a control as stated but also ensure there are adequate controls in-place to mitigate the risk of not having the original control in-place as it was stated in the standards.  In addition, it has allowed organizations to put a corrective action into place to address issues and prevent a “con-compliant” report.  This has helped merchants to prevent non-compliance fees and service providers from impacting a customer’s trust which could result in customer churn. This also ensures they can avoid a “non-compliant” report, which could result in customer churn.

However, compensating controls have been overutilized, and primarily used in a way they weren’t technically designed for. It’s why we at A-LIGN believe that the industry relying on compensating controls to address gaps in an organization’s (particularly Service Providers) PCI compliance efforts is a bad practice for two primary reasons:  They cover up underlying issues that may need to be addressed, and the service prover’s clients are kept in the dark that there were control gaps.

The Weakest Link: People Processes

One way in which compensating controls are misused is their broad application to cover flawed processes within an organization. We see compensating controls come into play often with things like vulnerability scanning and semi-annual firewall reviews. These are relatively simple and straightforward processes. Often, it’s not the scanning or technology reviewed that is missing the mark — it’s a problem with the related people processes and specifically a lack of both oversight and accountability. The people who are supposed to manage these processes and ensure they get done are not properly trained or monitored.

The people processes that lie behind the steps to maintain PCI compliance throughout the year can easily be overlooked. Organizations don’t take the time to ensure these people processes are properly in place. Instead, they rush to implement a compensating control to cover the issue. But this only remedies a symptom, it doesn’t cure the illness.

Customer Confusion

Compensating controls are also not properly reported to customers. Many times, customers are left unaware that control gaps exist or they only know an organization had utilized a Compensating Control, but they don’t have the details of the “why” behind its use”. This is because PCI DSS standards, as they currently exist, do not require any specifics around compensating controls or corrective actions be disclosed to a partner or customer. There is no process that requires an organization to be transparent about compliance issues or gaps they need to correct.

As a result, a customer of a service provider is unaware they could be working with an organization that lacks a necessary security requirement or the proper people processes to maintain a given requirement, opening them up to increased risk. And there’s little urgency in many situations for the organization to address those issues.

Transparency is the Way

We believe more transparency in reporting will raise the caliber of organizations within the industry. Organizations will feel a greater sense of urgency and commitment to fix underlying issues and mature their compliance programs if issues are promptly documented and reported via an attestation report.

After all, transparency often comes with a healthy side of accountability. Organizations are more likely to address various issues when their customers are made aware of the compliance gaps they’ve uncovered and corrected. This signals the potential for a significant shift of power, where customers have the ability to hold organizations accountable for their actions. Ultimately, that’s the fastest way to drive change and ensure organizations prioritize bettering their compliance programs.

How A-LIGN Can Help

Partnering with a trusted PCI DSS Qualified Security Assessor Company (QSAC), like A-LIGN, gives organizations peace-of-mind knowing they’re working with an audit partner that is focused on helping them meet their organization’s compliance needs. From helping set reminders to stay on track with PCI DSS timelines to conducting regular segmentation testing and vulnerability scans, A-LIGN can help your organization recognize ways to enhance the maturity of your processes to achieve and maintain PCI DSS compliance, so you can be confidently transparent.

With the recent unveiling of CMMC 2.0, the expanded presence of StateRAMP, and new FedRAMP advisory guidelines for external servers, it’s safe to say that 2022 has a lot in store for Federal compliance changes. Tony Bai, A-LIGN’s Federal Practice Lead, and Emily Cummins, Anitian’s Director of Cloud Security, had a chance to sit down and discuss the latest news in federal compliance and what it could mean for your organization. Let’s dive in and get their thoughts on the latest CMMC 2.0 introduction, the new FedRAMP authorization boundary guidance, StateRAMP and more! 

CMMC 2.0

Like everyone else in the world of federal compliance, A-LIGN and Anitian have been closely tracking the Cybersecurity Maturity Model Certification (CMMC) since the U.S. Department of Defense (DoD) shared its initial draft of the model in early 2020. With the release of CMMC 2.0, three major changes were recently announced: fewer security tiers, removing some third-party assessment requirements, and allowance for “Plan of Action & Milestone” reports.

Fewer Security Tiers

The initial CMMC draft established five tiers of cybersecurity requirements for contractors. The tier with which a contractor needs to comply is based on the types of data they work with to execute federal contracts. With CMMC 2.0 there are now only three security tiers:

• CMMC Levels 2 and 4 from the original framework are eliminated along with all maturity level processes.
• Level 1 Foundational: Includes the same 17 controls outlined in the original CMMC framework, but now only requires an annual self-assessment and affirmation by company leadership.
• Level 2 Advanced: Has pared down the original 130 controls in the original CMMC Level 3 baseline to the 110 controls outlined in NIST 800-171. The DoD is working on a process that will identify “prioritized acquisitions” that must undergo an independent assessment against the new Level 2 Advance requirements on a triannual basis. All other Organizations will only be required to perform an annual self-assessment and company affirmation every year.
• Level 3 Expert: This level will replace what was formally known as CMMC Level 5. Details of this level are still being defined. It is expected that this level will incorporate a subset of controls from NIST SP 800-172.

Removing Some Third-Party Assessment Requirements

Under CMMC 2.0, Level 1 contractors will no longer be required to obtain a third-party certification. Instead, they will follow a self-assessment protocol which can significantly reduce the cost of compliance for many contractors. These self-assessments will require an annual affirmation by company leadership. The same changes apply to Level 2 assessment requirements; third-party assessments will only be required for companies supporting the highest priority programs.

Even with this change, to ensure compliance and avoid any significant penalties, we recommend you hire a third-party assessor to complete your CMMC certification.

“Plan of Action and Milestones” (POA&Ms) Reports

The DoD made the decision to allow POA&Ms reports in specific cases. These reports allow contractors to pass an assessment even if they do not currently meet every security control required- provided their report properly outlines a plan of action and deadlines to meet future controls.

“I have three words: Totally clean assessment,” said Emily. “We would all love to have them but in my eight years of working in this industry, I’ve never once seen a zero-finding assessment. With the release of CMMC 2.0, there is now the ability for an exception; where a finding is documented and tracked within the Plan of Action and Milestones (POA&M). This change makes CMMC certification much more achievable and realistic for the supply chain industry.”

Agreeing with Emily, Tony adds: “In the past, if we ever saw a system or report with zero findings, it would be a huge red flag and prompt us to dig much deeper. A completely clean company would raise suspicions.”  With CMMC 2.0, the POA&Ms will be allowing six months from the time the assessment is completed by the C3PAO to remediate any issues. The DoD has yet to determine if any of the practices will be considered “showstoppers” if non-compliant.  

FedRAMP

FedRAMP strengthened the Federal government’s ‘cloud first’ initiative by enabling federal agencies to contract with approved cloud providers who were best equipped to protect vital government information. FedRAMP has officially posted their new authorization boundary guidance under “draft”, but it is essentially in effect for all the CSPs, C3PAO and stakeholders.

“The biggest impact is that nonfederal authorized external services that store, process, transmit federal data and metadata aren’t going to be acceptable for FedRAMP operating status with a user-ready assessment report,” said Tony.

With FedRAMP High, organizations were never able to connect to an external service that didn’t also earn FedRAMP High ATO.  “In the past, as long as the organization had other authorizations, they could build a use case for why they are using an unauthorized external service,” said Emily. “This will no longer be allowed as organizations can now only connect to FedRAMP authorized services.”

FedRAMP recently released a document that clearly defines metadata as all-around data that can be ‘traced or linked back to’. “FedRAMP will want to see the peripheral attachments, systems, or equipment that isn’t necessary for the operation of that system that you’re selling to the government, but can play a significant role if it’s used,” said Tony. “You should contact your 3PAO, like A-LIGN, or cloud security experts, like Anitian, for clarification and guidance for your organization’s specific situation.”

StateRAMP

As cyberattack attempts carried out against state and local governments continue to become more prevalent, government agencies are in dire need of a way to modernize and systematize their cybersecurity practices — especially regarding cloud technologies. That’s where the State Risk and Authorization Management Program (StateRAMP) comes in. StateRAMP is essentially a nonprofit FedRAMP at the local level, based on the NIST framework.

“I think StateRAMP is going to find their success with CSP’s struggling to locate a sponsoring agency,” said Emily. “Reciprocity will occur but for those struggling to find the federal sponsorship and shy away from the FedRAMP JAB business requirements, StateRAMP will be a great solution.”

Tony added: “StateRAMP doesn’t have to occur at the formal state CIO level on down. StateRAMP is for any city government, county government, or state agency that wants to participate in this program. There are some states that are accepting this certification at a holistic level, like Arizona and Texas. For those companies that have an existing FedRAMP authorization, there is a reciprocity down to the StateRAMP level- they would review your FedRAMP package and issue an equivalent status.”

What’s Next? 

Compliance certifications are continuously evolving and rightfully so.  “It’s necessary for compliance frameworks to grow in order to keep up with federal’s changing threat landscape,” said Tony. “Your organization needs partners and technology that understand the requirements and can provide insight into CMMC, FedRAMP and StateRAMP throughout all phases of the assessment.” 

“Oftentimes organization’s feel that security certifications are a large lift, but the right partner and technology solution can greatly help your organization when preparing and going through the assessment process,” said Emily. Together, A-LIGN and Anitian can help organizations achieve CMMC 2.0, FedRAMP Ready and/or a FedRAMP Authorized, and StateRAMP Authorized status from application security to certification. 

If you have any questions or if you would like to learn more about undergoing a CMMC, FedRAMP, or StateRAMP assessment, please reach out to one of A-LIGN’s experienced assessors at [email protected] or 1-888-702-5446. To discover how Anitian offers the fastest path to security and compliance for cloud applications, please complete a form or call 1-888-264-8426. 

During the COVID-19 pandemic, the need for a solid business continuity management plan was put on full display. Practically overnight, many businesses had to move to a full remote state and stand up new systems, processes, and security measures to ensure business could run “as usual.” 

But a global pandemic isn’t the only thing that changes the way a business operates — extreme weather conditions may knock out server access, a technical hiccup could disrupt a department’s ability to access files, or a high-ranking member of the executive team could leave their job. All of these conditions could cause disruption and as such, organizations must have contingency plans in place to deal with any issues that arise.  

It’s time to for organizations to make sure they implement a Business Continuity Management System (BCMS). As the name suggests, a BCMS is a management system to help organizations plan for disruptions and ensure that critical business functions remain running in the event of an emergency.  

ISO 22301 Offers a Solution 

As it’s done with other information security and privacy management best practices, the International Organization for Standardization (ISO) created a framework and certification process for BCMS’ called ISO 22301: 2019 (ISO 22301). ISO 22301 was originally introduced in 2012 (minor updates were later introduced in 2019) with a goal to help organizations prevent, minimize, and recover from disruptive incidents without incurring financial and reputational penalties to their business.  

ISO 22301 certification is of particular interest to businesses with data centers, employees, or offices in multiple locations throughout the world. These businesses have a lot of “what if” scenarios to manage on a day-to-day basis. For example, one data center might be situated in an area that’s prone to hurricanes and a disruption to that data center could reverberate across the entire global organization. In this case, it’s extremely important that considerations for every location — not just the location of the data center — are included in a business continuity plan.  

Additionally, organizations that are data center providers, offer infrastructure as a service (IaaS), or offer their customers the equipment or tools needed to run their business, are all prime examples of organizations that would rely on a BCMS to mitigate risk and would want an ISO 22301 certification. 

Why Should Organizations Seek Certification? 

There are many benefits to pursuing an ISO 22301 certification. As an internationally recognized framework, ISO 22301 gives organizations the opportunity to provide peace of mind to their customers. With an ISO 22301 certificate in hand, organizations can show customers that they are a reliable business partner who will be able to restore operations in a timely manner should something happen.  

Internally, a proper BCMS gives an organization a sense of potential vulnerabilities and outlines steps to reduce downtime should an emergency occur. A BCMS is a single place to organize all potential vulnerabilities across locations, and file plans for each “what if” scenario. 

The Most Important Elements of ISO 22301 

What exactly does ISO 22301 include? The standard looks at a variety of areas within your organization — including leadership resources, operations in place to reduce the likelihood of incidents, and more. The major clauses of the standard are as follows: 

• Clause 5: Leadership — Ensures appropriate management and resources are provided to support a business continuity plan.  
• Clause 6: Planning — Looks at an organization’s ability to identify risks related to its operations and the locations in which it operates. 
• Clause 7: Support — Ensures staff are available if in the event of an emergency, and that they are aware of their role in assisting the organization during such a time. This clause also covers communication procedures that are in place to notify customers of any issues when an incident occurs.  
• Clause 8: Operations — Focuses on identifying necessary procedures to avoid or reduce the likelihood of incidents and steps to be taken when incidents occur.  
• Clause 9: Evaluation — Covers how an organization will evaluate performance against its plan with appropriate metrics.  
• Clause 10: Improvement — Defines actions an organization will take to continually improve its business continuity plan as corrective actions arise from audits, reviews, and exercises. 

The Certification Process 

Though it’s clear how a BCMS could benefit any organization, too many businesses still fail to plan ahead and only consider these issues in the midst of a crisis. There’s a better option. Gaining an ISO 22301 certification allows your organization to rest easy knowing that plans are in place to secure critical business functions in times of need. 

A-LIGN is an accredited certification partner and can guide you through every step of the ISO certification process. The process is separated into two stages and generally takes about six to eight weeks to complete. During Stage 1, the ISO experts at A-LIGN will review information about your business processes and operations, as well as the equipment and software that’s currently in place, the levels of control that have been established, and other regulatory requirements. In Stage 2, A-LIGN experts will evaluate the implementation and effectiveness of your BCMS to ensure it aligns with the ISO requirements and that all key performance objectives are being properly measured.  

Once an ISO 22301 certificate is issued, it is valid for three years. Throughout that time, A-LIGN will provide subsequent surveillance audits to ensure the BCMS is up-to-date and continues to cover the full scope of operations as your business grows and evolves. In addition to servicing companies that are new to the ISO 22301 process, A-LIGN is also able to guide organizations that were previously certified using the original 2012 standard as they update their certification to comply with 2019 updates.  

Is your organisation getting maximum value from its compliance program? Each compliance report or certification you possess is more than just a document — it’s an affirmation to your customers, prospects, and partners that your company understands the importance of cybersecurity and is fully capable of safeguarding sensitive information.

To spread the word about the assessments that have been completed and what they actually mean, your organisation needs to identify and leverage all available opportunities to market your compliance program and drive new revenue into the business.

Whereas companies in the U.S. — especially in the tech industry — can be quite enthusiastic about promoting their various certifications and achievements, organisations in Europe tend to be a bit more subdued when it comes to compliance marketing. Read on to explore the top tips you should be using to market your unique competitive advantage: compliance.

Publish a Press Release

The press release is a cornerstone piece of compliance marketing material that is used to announce your organisation’s achievement in successfully completing a cybersecurity assessment. Whether it’s produced by the marketing department, a public relations firm, or written yourself, all compliance-related press releases should be brief (roughly 300-400 words) and get straight to the point.

Each press release will focus on one main idea. When strategising for a release, ask yourself, “What is the key takeaway for readers?” Write your answer down as a statement and use that assertion as the backbone of the writeup. For example, that statement might be, “We have successfully obtained a SOC 2 report, proving our commitment to protecting customers’ information and expanding the business on a global scale.”

While press releases are formal announcements intended to share breaking news about your company, that doesn’t mean they have to be boring or confined strictly to the minutiae of official names and dates. Talk about your accomplishment without using technical jargon and try to answer any questions that the average reader might have, such as:

• Why did your business conduct this assessment?
• What are the key impacts or benefits?
• Does it change the way your customers do business with you?
• How does the certification or report reinforce your company values?

Flavour your press release with direct quotes from your senior management as well as your auditor. Ultimately, you want all the facts surrounding the assessment to be placed in the context of how your customers and partners will benefit.

Pro tip- When writing, include the most important information at the top of the press release. If the reader stops after the first paragraph, this writing structure ensures they have still acquired the key message.

Update Your Website

Because your company’s website serves as an “always-on” marketing tool, it needs to effectively communicate your compliance achievements. Showcasing these credentials on your website shows that you take cybersecurity seriously and can be trusted with different types of information.

While some documents like a SOC 3 report are intended to be shared publicly, most compliance reports are reserved for situations where a non-disclosure agreement (NDA) is in place. That’s why updating your website often entails adding social proof (such as certification badges) to indicate that you have completed certain assessments without revealing all the sensitive details.

You can also use your website to host educational materials about the security principles and policies behind different assessments as well as your organisation’s unique philosophy on information security and privacy.

Supercharge Sales Enablement

Another valuable use case for compliance reports and certifications is sales collateral. In marketing parlance, sales enablement materials can be considered more “bottom of the funnel” compared to press releases and educational resources because they can be directly tied to deals closed and revenue earned.

Compliance reports allow your sales team to build trusting relationships by bridging audit requirements and the prospect’s organisational needs. Identify people on your sales team who are willing to experiment with new techniques and work with them to identify how your cybersecurity assessments could be used to give your company a competitive advantage. Ask questions like:

• Do our customers ever ask us to fill out a security questionnaire?
• At what point in the sales process do we typically position our technical strengths?
• What teams and job titles care about security the most?
• Which of our competitors have not gone through the audit process that we could call attention to?

From these conversations your marketing and sales teams can work together to drill down specific language about the benefits of compliance to use across emails, phone calls, and enablement content. While your plan will depend on the specific needs of your organisation, here are some examples of sales materials you might consider:

• Battlecard: This is a single, comprehensive resource that salespeople can use to articulate various details about the report, as well as guidance for handling common questions or objections that may arise. This may take the form of a one-pager within an internal training system, a printed resource that gets delivered to each member of the sales team, or even just a list of bullet points that is distributed via email.
• Presentation slides: Your sales team likely has a standard presentation deck they use when meeting with customers. Help them put together a few slides to include in the presentation that displays your report and includes high-level information about what it means and why it is valuable. Be sure to include information about the independent auditor you used to pass the assessment. 
• Proposal template: Include a reference to your audit report in your standard proposal template. Because this document is a culmination of all your strongest selling points combined with the financial proposal that is sent to the customer, it’s a great place to give a concise statement on how you take your customers’ security seriously.

Leverage Your Community and Partners

For maximum reach, look beyond your own website and marketing channels to distribute messaging about your organisation’s compliance achievements. This might include opportunities like guest blogs, webinar speaking engagements, engaging on social media, or getting a piece of your content placed in an industry newsletter.

The key to this type of marketing is to avoid being self-promotional — instead, focus on the compliance benefits your organisation has realised and why other businesses would want to replicate your success. Many companies have not been through the cybersecurity audit process and may feel overwhelmed when approaching such an endeavour for the first time. By strategically sharing the high-level knowledge you’ve acquired, you can establish key figures in your organisation as thought leaders in this area, which increases recognition of your business as a symbol of compliance excellence in your industry.

Some of the security professionals you have on staff have likely picked up compliance best practices from their peers at other companies. Giving back to the community and sharing your story is a great way to establish your reputation as a champion of compliance for everyone. 

Building Trusting Relationships Through Compliance Marketing

Effective compliance program marketing is all about nurturing relationships of trust with your customers, prospects, and partners. In many ways, the work of passing the assessment is the hard part. Now all you must do is strategise about how you will let people know, “Look what we did!” Hopefully the tips listed above will help put you on the right path to devising a compliance marketing strategy that is well-suited to your organisation.

If you are looking to review your organisation’s entire information security program to identify areas where a new assessment would have the greatest impact, A-LIGN can help.

With a threat landscape that is constantly evolving, cybersecurity can’t be something you set up and ignore. To keep your organization safe, and to stay compliant with required industry regulations and standards, you need to approach cybersecurity with a tactical mindset, one that positions it as a planned and proactive — not reactive — component of your business strategy.

The Threat Landscape Today

Think of it this way: Your entire network infrastructure is a battlefield and your job is to protect it from threats, both internal and external. To do this most effectively, you need to always be thinking one step ahead to prepare for what could happen next, in conjunction with keeping up with the current threat landscape.

Why? Because threat actors will keep doing what works well, shifting their tactics to make it look like a new attack. For example:

• Phishing — A few years ago, spearphishing and whaling attacks were popular. Though they haven’t gone away, the approach has shifted in regards to both the target and the delivery channel. Today, threat actors target disgruntled employees with the intention of stealing credentials to gain access to insider information. And sometimes, threat actors leverage social media to launch phishing attacks, as well.
• Familiar Attack Vectors with New Targets —Like they do with phishing attacks, threat actors know where organizations are most vulnerable. Though they continue to use the same attack vectors, they are changing targets, like SMBs instead of enterprises, or lower-level employees instead of leadership.
• Ransomware —Ransomware increased by 151% in the first six months of 2021 compared to the same timeframe in 2020. Ransomware has grown in popularity partly because threat actors are taking advantage of remote workers and hybrid infrastructure models. Threat actors are also making it easier for others to run attacks as a result of increased use of the cloud. In fact, there has been an increasing amount of material online that makes running ransomware attacks easier.
• Third Parties — Today’s interconnected world has allowed for greater partnerships across organizations. But this also means that one company’s cybersecurity incident can also become yours. Though an organization’s partners and vendors may have their cybersecurity systems and protocols in place (something that should be vetted before signing a contract), the organization itself also needs to keep current with their own cybersecurity efforts. This extends to compliance with government and industry regulations. Each third party related to your organization enlarges your threat landscape and increases your risk of a compliance violation.

Protecting Your Organization With a Tactical Mindset

To avoid these attacks, pay close attention to what’s happening on your network. Areas you think are secured might, in fact, be your biggest vulnerability. The last thing you want to do is be tricked by a threat actor. Remember, cybersecurity should be proactive, with emphasis on active.

So how can you approach cybersecurity in a more strategic way?

Develop and Implement a Framework

Consider leveraging an acceptable framework, like NIST, to establish strong cybersecurity controls to help manage and reduce cybersecurity risk. MITRE’s D3FEND framework also helps organizations understand how others were hacked to provide insight to recognize threat patterns before you become victim to a cybersecurity incident. This insight can also provide organizations with a better understanding of their own cybersecurity posture.

Hire Ethical Hackers and Pen Testers

The best way to know where your organization’s vulnerabilities are is to hack your own network. You’ll want to hire someone that understands a variety of frameworks and architectures, an ethical hacker that can discover vulnerabilities before malicious actors get the chance.  As you consider who could be a fit for this role, don’t limit yourself to looking at experience alone. After all, the purpose of testing the network is to harden your security posture; this can only be done effectively when someone is thinking one step ahead to test how well prepared you really are to prevent a cybersecurity incident. Hire someone who embodies a tactical mindset.

Check the Logs

Another component of the tactical mindset for cybersecurity is to check the logs. Though checking logs may be boring to some, it is one of the most important tasks in an effective cybersecurity strategy. If you don’t know what your logs should look like, you won’t be able to identify anomalies.

To that point, if you find there are a lot of errors in your logs, it could signal a clandestine attack or some other nefarious activity happening. Small events, anomalies, or user-experienced issues can be the first sign of something bad brewing. Typically, “breadcrumbs” are left during an attack but hidden in plain sight so always pay attention to the logs as they can provide clues to invisible or unexpected security events. Even if you have tools that alerts positive hits, you still need to check the logs regularly.

Adopt a Zero Trust Approach

Implementing a zero trust architecture is considered, by many, to be the best way to lessen the threat surface for your organization. Zero trust is a collection of concepts and ideas that are designed with the principle of least privilege for information systems. Basically, it’s about restricting access to resources to only the people who need them.  Every time a user wants to access specific data or a specific resource, the user will need to authenticate and prove who they are.  

The restriction around privileges is done intentionally. After all, a zero-trust architecture uses zero trust principles to manage workflow, designed to assume that an internal network is already infected with various threats.

Though this can present a unique mental hurdle for many organizations — especially since most people assume an internal network is protected — zero trust, combined with a strong framework, provides an organization with a more strategic approach to cybersecurity.  

Tighten Up Your Cybersecurity

A tactical mindset requires an organization to always be alert. It’s about knowing your infrastructure, the devices connected to the network, how they communicate, the characteristics of your data, and who has data access.

Building a culture of proactive cybersecurity, complete with set policies, best practices, and user security awareness training, positions your organization to be better prepared for when a cybersecurity incident occurs.

In this issue we shed light on how to deduplicate efforts to save time on multiple audits, discuss how the Safe Harbor Act affects your organization, reveal the 5 best practices for compliance management, and much more.

Featured Content

The Safe Harbor Act
The HIPAA Safe Harbor Act was designed to limit the fines associated with a data breach for healthcare organizations that implement “recognized security practices.” Do you have your cybersecurity practices in place? Blaise Wabo, A-LIGN’s Healthcare and Financial Services Knowledge Leader, discusses how to identify what you need to mitigate risk.
Read more.

5 Best Practices for Compliance Management
Looking for time-tested compliance management advice to level up your organization’s program? Patrick Sullivan, A-LIGN’s Director of Customer Success, recommends five best practices to follow for compliance success.
Read more.

A-SCEND Developer Blog Series 
Jason Kosecki, A-LIGN’s Principal Product Operations Manager for A-SCEND, continues his blog series to announce A-SCEND’s new releases and upcoming features!  Get a sneak peek into how the addition of “link evidence” will help to streamline your audit process, saving you time and resources.
Read more.

Compliance News

3 Compliance Factors Your European Organization Should Consider
From GDPR updates to the increasing popularity of U.S. compliance standards, European businesses have a lot to consider in 2022. Huw Pegler, A-LIGN’s VP of EMEA Sales, reveals three key factors to consider right now.
Read the full article.

Can You “Fail” a SOC 2 Examination?
Although you can’t “fail” your SOC 2 report, it can result in report opinions to be noted as “modified” or “qualified.” Alex Welsh, Associate Manager at A-LIGN, reveals what this means for your organization.
Read the full article.

In Case You Missed it

Federal Compliance 2022: CMMC 2.0, StateRAMP, FedRAMP & Beyond 
A-LIGN’s Federal Practice lead, Tony Bai, welcomed special guest Emily Cummins, Director of Cloud Security at Anitian, to discuss the latest news in federal compliance including the new Authorization Boundary Guidance, updates on CMMC 2.0, StateRAMP and more.
Click here to view.

Federal Compliance Webinar: StateRAMP
A-LIGN’s Federal Practice lead, Tony Bai, welcomed special guest Leah McGrath, Executive Director of StateRAMP, to discuss the latest in the StateRAMP rollout, how StateRAMP compares to FedRAMP, and more.
Click here to view.

Cybersecurity Predictions & Trends for 2022: Your Year of Readiness
As 2021 comes to a close, A-LIGN’s partner GreyCastle Security shared how to prepare for 2022’s top cyber challenges, and recommendations to develop a strategic and efficient cyber-strategy to best prepare for the year ahead.
Click here to view.

A-SCEND Tip of the Month

A-SCEND’s “How to” Video Series: Deduplication of Efforts to Save Time Across Multiple Audits  
Michael Darmanin, A-SCEND’s Senior Technical Support Analyst, launched a new video series in which he walks you through our compliance management platform, best practices, and tips and tricks to help streamline your audit process.  In his latest video, Michael shares tips and tricks on how to use deduplication to save you time across multiple audits!
Learn more.

Season’s Greetings

From everyone at A-LIGN, we would like to wish you a wonderful holiday season, and a happy and healthy New Year. Cheers to 2022!

The National Institute of Standards and Technology Special Publication 800-53 (NIST 800-53) is a set of guidelines recommending how U.S. government agencies and private sector organizations supporting federal contracts should manage and protect information systems and the data within those systems.

The security controls within NIST SP 800-53 are organized into different categories ranging from Access Control to Contingency Planning, Media Protection, Risk Assessment, and more. In total, these categories house more than 1,000 individual control elements.

NIST 800-53 has been through multiple rounds of revisions since it was first introduced to accommodate changes in technological innovations and data management best practices. The final version of the most recent revision — NIST 800-53 Revision 5 — was initially introduced in 2020 and was open to public comment through October 1, 2021.

Now, Revision 4 has been superseded by Revision 5. Let’s review a few key differences between the two.

A Greater Emphasis on Privacy

At a high level, Revision 5 incorporates a greater emphasis on privacy — part of a larger effort to integrate privacy into all Federal Information Security Management Act (FISMA) regulations. As such, privacy controls that were previously detailed in an appendix to the main catalog of NIST 800-53 Revision 4 have evolved and moved into a new privacy control family called Personally Identifiable Information Processing and Transparency.

We’re not surprised by this change. There’s been an increasing emphasis on privacy over the last few years, with the introduction of regulations like the EU’s GDPR and China’s PIPL. NIST even came out with its own privacy framework early in 2020.

Additional Control Categories

Personally Identifiable Information Processing and Transparency isn’t the only new control category in Revision 5. Supply Chain Risk Management and Program Management categories are also present in this newest revision. The Supply Chain Risk Management control family expands on concepts that were previously outlined in the Supply Chain Protection control within Revision 4, and the Program Management family expands on the Information Security Program Management controls that were addressed in Appendix G of Revision 4.

We expect supply chain risk to remain top of mind and are tracking a published timeline from NIST that states the organization “will issue guidance that identifies practices that enhance software supply chain security, with references to standards, procedures, and criteria” in February 2022. From there, additional guidelines are expected to be published in May 2022.

A Focus on Outcomes

In addition to new and updated controls, Revision 5 also incorporates a greater emphasis on outcomes. Control statements within the updated version of NIST 800-53 have been rewritten to focus on the goal of the action instead of identifying a specific entity responsible for implementing the control. This is meant to acknowledge the fact that broad cooperation and collaboration is often required to achieve results. It is also meant to clarify the controls for non-government organizations, like private entities fulfilling government contracts, that often don’t have the same delineation of roles that we see within government organizations. With this change, NIST 800-53 is clearer and more adaptable for non-government entities seeking compliance.

Introduction of Separate Control Baselines

Revision 5 also separates the control baselines from the control catalog with a supplementary publication called NIST SP 800-53B. This supplementary publication outlines the three security control baselines — low-impact, moderate-impact, and high-impact — and provides guidance for tailoring control baselines to specific communities based on an organization’s technologies and environments of operation. NIST has stated that this change was made to further support the use of NIST 800-53 Revision 5 by different communities of interest and so the controls can be used “to support other cybersecurity lexicons and risk management approaches.”

Making Sense of All These Changes

In addition to the significant changes mentioned above, Revision 5 also incorporates a variety of new controls to strengthen security and privacy governance and accountability, support secure system design, and support cyber resilience and system survivability. The amount of changes may seem daunting, but partnering with an assessor firm that is familiar with NIST, like A-LIGN, will help you ensure that your organization doesn’t miss a beat in complying with these revised guidelines.

Whether this is your first attempt to comply with NIST 800-53, or you previously complied with Revision 4 of the guidance, A-LIGN can help you implement and update procedures to meet Revision 5 standards. And since Revision 5 officially replaced Revision 4 at the end of September 2021 — there’s no more time to waste.

Even though compliance is an on-going process, each individual assessment has its own lifecycle, which begins with a self-assessment of scoping factors. This can be a tedious process to complete for every audit, especially if the same questions get asked more than once, or continue to show up in assessment requirements. Fortunately, HITRUST has introduced a strategic approach to its scoping factors, which it announced in its Assurance Advisory: 2020-003.

HITRUST made multiple changes to its scoping factors, streamlining the audit process by mapping scoping factor questions to assessment requirements – eliminating unrelated requirements. The scoping factor now includes additional context to questions to avoid the typical back-and-forth that could occur during QA of the assessment.

This Assurance Advisory is set to minimize unrelated requirements when a scoping factor is marked “no” and to curtail the constant flow of “this is not applicable because…” responses currently captured in HITRUST CSF assessment reports. According to HITRUST, “Assessed entities will instead be asked to explain the absence of inherent risk factors once rather than multiple times throughout the assessment, thus reducing the level of effort required to complete and review the assessment.”

HITRUST is adding more than ten additional scoping factor questions to identify risk factors for assessment, and adding additional requirements to existing scoping factors. The HITRUST portal, MyCSF, will require additional explanation for each question answered “No,” so that an External Assessor, such as A-LIGN, and the HITRUST QA can better evaluate each response. Additionally, HITRUST is adding more information to its help page and clarifying its definition of a third-party.

The process of streamlining assessment requirements is a key component of strategic compliance, which seeks to centralize, standardize and consolidates audits. Our compliance management platform, A-SCEND, could already deduplicate redundant assessment requests to help our clients achieve strategic compliance. If you also appreciate the value of eliminating superfluous workflows, then we suspect that you will also be happy to see this update from HITRUST.

Download our HITRUST checklist now!

Our 2021 Compliance Benchmark Report provided significant insights on how organizations are navigating the current compliance landscape, as well as how they are preparing for the future. By surveying more than 200 cybersecurity, IT, quality assurance, internal audit, finance, and other professionals, we discovered a great deal about what makes compliance programs run smoothly and efficiently, and where there may be areas for improvement for businesses of all sizes and across all industries.  

Here are five compliance management best practices gleaned from the 2021 Compliance Benchmark Report that you can use to improve your organization’s compliance program.  

Best practice #1: Combine audits for greater efficiency  

One of the standout findings from our Compliance Benchmark Report was the revelation that many organizations are not taking advantage of opportunities to streamline their audit efforts while achieving the same results. 85% of respondents to our survey said they conduct more than one audit every year, but just 14% consolidate their audits into a single annual event.  

We highly recommend taking a strategic, year-round approach to preparation in which your organization consolidates audits and assessments wherever possible. A Master Audit Plan (MAP) is an invaluable tool that can be used to: 

• Gain greater visibility into the efforts required from various teams  
• Determine what is needed for each audit 
• Identify evidence that can be repurposed across audits  

50% of our survey respondents said they spend one to two months preparing for each audit or assessment and 17% noted they spend six months or more preparing for each audit or assessment. Clearly, using a MAP for more efficient compliance management has the potential to save your organization substantial time and resources.  

Best practice #2: Leverage SOC 2 to build customer trust  

When we asked our survey audience about the audit, attestation, or assessment they believe is most important to their organization, the top answer by a wide margin was SOC 2. Nearly half (47%) of respondents said that SOC 2 is mission critical to the success of their business.  

Having a SOC 2 report indicates a high level of maturity in an organization’s IT security, which is why this voluntary standard is often used to build trust with prospects and customers by demonstrating that an organization has sufficient data protection mechanisms in place. One-third of the professionals who took our survey said that SOC 2 is typically the number one report or certification that customers want to see when performing data security due diligence.  

In fact, SOC 2 has become so trustworthy in information security circles that, although it is a U.S.-based standard, some European organizations are now being asked to obtain SOC 2 reports — especially in highly regulated industries.  

Best practice #3: Use technology to automate tedious tasks  

One of the biggest obstacles organizations face during the audit process is repetitive and manual evidence collection since these tasks eat up significant time and resources. In fact, 27% of our survey respondents said that evidence collection is the greatest challenge of their audit process.  

To streamline these tasks and free up staff hours to focus on more strategic initiatives, consider utilizing audit automation and compliance management software to centralize evidence collection. This technology gives your organization the ability to effortlessly link one or more pieces of evidence to multiple audit requests. However, despite the opportunities associated with audit automation and compliance management software, not many organizations are taking advantage of automation software; just 25% of respondents to our survey said they use a software solution to prepare for audits.  

Worth noting is that automation software should always be used in tandem with an experienced compliance partner to ensure no corners are cut and that your compliance program is maturing as a whole. For example, when planning for SOC 2, be wary of software companies that claim their fully-automated SOC 2 software can take you through the entire audit process in just a few weeks. While automation tools can be useful for retrieving data that is required during the audit, it’s best to leverage the expertise of professional auditors who will ensure your SOC 2 process is thoughtfully planned and carefully executed for maximum efficiency.  

Best practice #4: Prepare for the future of privacy compliance   

Our Compliance Benchmark Report found that a whopping 71% of organizations believe that a rising focus on privacy across the globe has impacted their compliance practices and audits. 48% say that increased requirements related to privacy have resulted in additional compliance needs for their business.  

As a result, organizations are recognizing the need to make data privacy a significant priority in 2022 and beyond. However, 44% of our survey respondents say limited staff resources pose a major challenge to their audit process, and 18% agree that their compliance team doesn’t have the skills and training needed to deal with privacy.  

We recommend that you continue to monitor the latest news about the evolution of global and U.S. privacy regulations that could affect your organization. If you have questions about whether an upcoming law will apply to your business, reach out to your compliance partner to determine if it’s time to start laying the groundwork for these requirements within your compliance program.  

Best practice #5: Review the end goals of your compliance program  

When we asked our survey audience, “What is the driving force behind your organization’s compliance program?” responses were fairly evenly distributed across a few key areas:  

• Adhere to regulatory requirements (19%) 
• Meet board-level mandates (16%)  
• Establish trust with prospects and customers (15%)  

That being said, we also found that 64% of respondents have used an audit or assessment to win new business — even if that’s not the primary driver of their compliance program. In much the same way that a MAP can be used to get all departments on the same page and devise a strategy to check multiple compliance boxes at once, we advise your organization’s leadership to collectively ask, “how can we get the most out of our compliance management efforts?”  

Many organizations approach audits and assessments in a reactive manner — 23% of respondents say their audits are driven by customer requests rather than internal management. For example, during the sales process, a prospect might request compliance with a specific framework, such as SOC 2 or HITRUST, generating an all-hands-on-deck effort to complete the necessary audit or assessment. 

Instead, consider investing more time up front researching the accredited assessments and certifications that carry the most weight in the eyes of your target audience. Then you can balance these needs with more stringent regulatory requirements in your overarching compliance management strategy.  

Next steps for proactive compliance management 

Compliance shouldn’t feel like a burden. When approached thoughtfully and deliberately, your compliance program can support business growth and serve as proof that your organization is fully committed to cybersecurity. It starts with effective compliance management, combined with proactive consideration about what your compliance program should look like several years down the line.  

We know you may not be a compliance expert, and that’s okay — because we are! A-LIGN can review your organization’s current compliance efforts, help identify gaps, and work with you to determine how compliance can contribute to desired outcomes in other areas of your business.