DSP vs CDPP

A common question is “What is the difference between the CDPP and the DSP?”

ANSWER: In simple terms, the Cybersecurity & Data Protection Program (CDPP) is designed to address a single, specific framework (e.g., ISO 27002, NIST 800-53 or the NIST Cybersecurity Framework), whereas the Digital Security Program (DSP) is designed to address multiple frameworks as a hybrid, "best-in-class" metaframework. 

• The CDPP is designed to help a company align with a single cybersecurity framework (e.g., NIST CSF, ISO 27002 or NIST 800-53).
• The DSP is designed for companies that need to align with multiple cybersecurity and privacy frameworks and cannot be constrained by aligning with just ISO or NIST. This is also applicable to companies that need to efficiently manage both cybersecurity and privacy principles.

Privacy Considerations

If your organization needs to address EU GDPR, CCPA, or any other privacy requirement, you should seriously consider the DSP instead of the CDPP, since the DSP contains a robust privacy section, in addition to its cybersecurity sections.  When considering any of the newer laws, regulations and industry frameworks, they can be considered "two-sided coins" in regards to the interconnected nature of privacy and cybersecurity where there is a clear expectation that in addition to a formal cybersecurity program, that your organization also maintains a privacy program to maintain "secure practices" for both privacy and security: 

• The determination of "secure practices" is left to the organization to define. In most cases, this means alignment with ISO 27001/27002, NIST Cybersecurity Framework, or NIST 800-53 as the framework used to define what "right" looks like from a cybersecurity perspective. The SCF also is applicable, since you can align with multiple frameworks.
• The determination of "privacy practices" are also left to the organization to define. Just like with cybersecurity frameworks, there are numerous privacy frameworks an organization can choose from. The DSP contains mappings to multiple privacy frameworks and even leverages the SCF's Data Privacy Management Principles.
• The selection of security and privacy frameworks for an organization to align with is a business decision and is not dictated by technology. Those frameworks are meant to support the organization's overall business operations and strategic goals. The selection of frameworks is foremost a business decision.
• These expectations for both privacy and cybersecurity apply not only to processors and controllers of data, but supply chains as well. An organization's internal "secure practices" are meaningless if there are unmanaged third-party service providers that have unfettered access to sensitive data or the systems / applications / services that store, transmit and process personal data. The DSP maps to over 100 laws, regulations and frameworks, so its flexibility is unmatched.

When you lay out the various frameworks in a spectrum from "weaker" to "robust" the DSP provides the most comprehensive coverage. However, some companies only need/want to align with a single framework.

There are two main factors that will assist you in determining which product is best suited to your business: (1) content and (2) functionality. However, while both cover common requirements, only your organization's needs (current AND future needs in terms of meeting specific statutory, regulatory and contractual requirements) will ultimately determine which is the best fit for you.

DSP vs CDPP Comparison
Editable documentation
Policies
Control Objectives
Standards
Guidelines
Procedures (separate product is available - CDPP or DSP Cybersecurity Standardized Operating Procedures (CSOP))
Controls
Metaframework (multiple cybersecurity & privacy framework alignment)
Single cybersecurity framework (e.g., NIST CSF 2.0, ISO 27001/27002, NIST 800-53 or NIST 800-171)
Privacy coverage (e.g., GDPR, CCPA, etc.)
Metrics (including KPIs & KRIs)
Capability Maturity Model
Reference Mapping (Excel spreadsheet)		limited to CDPP framework selected
GRC-Importable (Microsoft Word & Excel formats)

CONTENT

In terms of content, the scope of the DSP surpasses both versions of the CDPP, due to its structure and additional materials.

• “Best-In-Class” Structure – The CDPP versions are designed to stay true to NIST CSF, ISO 27002 or NIST 800-53, so their scopes are constrained by those specific frameworks.

• We designed the DSP to avoid similar constraints by creating a hybrid framework that takes of best components of leading frameworks, while avoiding their weaknesses. 

• The DSP currently covers over 100 laws, regulations and industry frameworks to allow alignment with multiple requirements with one document! 
• The DSP is directly mapped to the Secure Controls Framework (SCF), which is a free resource for companies that need cybersecurity and privacy controls.

• Controls & Metrics - While both the CDPP and DSP contain policies, control objectives, standards and guidelines, the DSP in unique in that it contains controls and metrics (including KPIs and KRIs). 

• This added content can save a company several months’ work from developing their own control wording and associated metrics! 

• This allows organizations to rapidly advance their cybersecurity program’s maturity by being able to PROVE that security is in place through metrics reporting!

Graphically, the difference in content can be seen in the comparison below (note – this just shows a fraction of what the DSP is mapped to, due to space limitations).

FUNCTIONALITY

In terms of functionality, the CDPP and DSP both come in Microsoft Word formats, so that it is easy to edit for your needs and gives our clients a wide range of methods to share the content. The difference is in added functionality that can save hundreds of hours in staff and consultant time!

• With the DSP, we did something different where we also put the DSP’s content into a Microsoft Excel format, so that it is importable into other tools or databases.
• Specifically, this Excel formatting makes it a breeze to import it into a Governance, Risk & Compliance (GRC) tool, such as Archer, RSAM, MetricStream, MyVCM, ZenGRC, ServiceNow, etc.
• If you are currently using a GRC tool or are planning one within the next few years, the DSP is the product you will want to buy, since it can save you hundreds of hours in formatting and preparation time. 

One of the biggest differences in functionality is in the controls used by the CDPP vs the DSP. The CDPP does its best to stay true to the aligned framework (e.g., NIST CSF, ISO 27002 or NIST 800-53). However, the DSP leverages the Secure Controls Framework (SCF) to map to over 100 different laws, regulations and industry frameworks.  

US GOVERNMENT & DOD CONTRACTORS

On a daily basis, we receive questions from government / DoD contractors about both NISPOM and NIST 800-171 (DFARS). Both the NIST 800-53 version of the CDPP and the DSP will allow an organization to comply with both NISPOM and NIST 800-171. Just as explained above, the DSP will just give you far more usefulness if you want to mature your security program beyond policies and standards.

• Efficient CMMC Scoping

  Determining the scope of controls (e.g., assessment boundary) is different than determining control...

• Are you a cyber criminal?

  As a Chief Information Security Officer (CISO) or cybersecurity director, it is likely that you been...

• New Standard For Third-Party Cybersecurity Assessments

  The release of the Cybersecurity & Data Protection Assessment Standards (CDPAS) is important to the...

• Cybersecurity Materiality & Key Controls

  There is a "materiality ecosystem" that exists within modern cybersecurity risk management discussio...

---