Cybersecurity Compliance Starts With Unambiguous Documentation

ComplianceForge documentation is designed to scale for any cybersecurity or data privacy compliance need. Our clients have successfully used ComplianceForge documentation for a wide variety of compliance efforts, including:

• NIST 800-171 / Cybersecurity Maturity Model Certification (CMMC)
• Payment Card Industry Data Security Standard (PCI DSS)
• ISO 27001
• System and Organization Controls (SOC 2)
• Health Insurance Portability and Accountability Act (HIPAA) / Health Information Technology for Economic and Clinical Health Act (HITECH)
• Federal Risk and Authorization Management Program (FedRAMP)
• Federal Information Security Modernization Act (FISMA) 
• Risk Management Framework (RMF) / DoD Information Assurance Certification and Accreditation Process (DIACAP)
• Criminal Justice Information Services (CJIS)
• Family Educational Rights and Privacy Act (FERPA)
• Internal Revenue Service (IRS) 1075
• European Union General Data Protection Regulation (EU GDPR)
• Gramm-Leach-Bliley Act (GLBA)
• Sarbanes–Oxley Act (SOX)
• Federal Financial Institutions Examination Council (FFIEC)
• California Consumer Privacy Act (CCPA) / California Privacy Rights Act (CPRA) 
• New York Department of Financial Services (23 NYCRR 500)
• And more!

There are a lot of cybersecurity and data privacy compliance requirements, but only a fraction have the ability to earn a certification. To address the needs of businesses that want to demonstrate compliance via a third-party assessment, the Secure Controls Framework (SCF) developed a conformity assessment methodology. The Cyber AB (same accreditation body as the DoD uses for CMMC) is the SCF's accrediation body for the SCF's Conformity Assessment Program (SCF CAP).

Secure Controls Framework Conformity Assessment Program (SCF CAP)

The Secure Controls Framework Conformity Assessment Program (SCF CAP) is a new approach to cybersecurity certifcations, since it enables an organization to demonstrate compliance with a law, regulation or framework, where an existing certification does not exist (e.g., NIST CSF 2.0 certification). The SCF CAP is designed for cybersecurity & privacy practitioners by cybersecurity & data privacy practitioners. This concept is based on the need within the industry for a tailored conformity assessment solution that is capable of addressing several key considerations:

• View compliance as a natural by-product of secure practices;
• Scale to address multifaceted operational requirements (e.g., laws, regulations and frameworks);
• Acknowledge the stated risk tolerance of the OSC since not all organizations have the same risk tolerance;
• Minimize the risk of “gaming” the certification process that provides no useful insights into the security posture of the Organization Seeking Certification (OSC);
• Utilize technology to make the assessment process more efficient to drive down labor-related assessment costs; and
• Leverage existing industry recognized practices, where possible.

The SCF CAP is designed to utilize tailored cybersecurity and data privacy controls to specifically address the applicable statutory, regulatory and contractual obligations an organization needs to comply with. The metaframework nature of the SCF enables an organization to perform a conformity assessment that can span multiple cybersecurity and data privacy-specific laws, regulations and frameworks.

Efficient & Cost Effective Cybersecurity Certification Options

The SCF CAP has a roadmap to enable the follow SCF-based certifications:

1. Australia Essential Eight
2. Canada B-13
3. Department of Homeland Security (DHS) Zero Trust Capability Framework (ZTCF)
4. DHS Cybersecurity & Infrastructure Security Agency (CISA) Secure Software Development Attestation Form
5. EU Digital Operational Resilience Act (DORA)
6. ENISA NIS2 (Directive (EU) 2022/2555)
7. Federal Acquisition Regulation (FAR) 52.204.21
8. Gramm Leach Bliley Act (GLBA) - CFR 314
9. New Zealand Health Information Security Framework 2022
10. NIST Cybersecurity Framework (NIST CSF) 2.0
11. NIST SP 800-66 R2 (HIPAA Secure Rule)
12. NIST SP 800-161 R1 (C-SCRM baseline)
13. NIST SP 800-171 R2 (non-CMMC)
14. NIST SP 800-171 R3 (non-CMMC)
15. NIST SP 800-207 (zero trust principles)
16. NY DFS 23 NYCRR500 - 2023 Amendment 2
17. Secure Code Alliance (SCA) Secure Software Development Practices (SSDP)
18. Trusted Information Security Assessment Exchange (TISAX) Information Security Assessment (ISA)

 

• C-SCRM & NIST 800-161 R1

  For many cybersecurity practitioners, even those well versed in NIST 800-171 and Cybersecurity Matur...

• Your CMMC Requirements Guide

  A common issue facing many front-line IT / cybersecurity practitioners is that they do not know wher...

• SCF Cybersecurity Documentation Experts

  ComplianceForge is very pleased to announce it is now a Secure Controls Framework Licensed Cont...

• Affordable Cybersecurity Policy Templates

  ComplianceForge specializes in cybersecurity documentation. We are an industry leader in providing a...

---