StateRAMP

StateRAMP was developed with procurement and IT officials in mind – to bridge the gap between the two offices and provide a framework of cybersecurity standards for government contractors. All too often, procurement officials are challenged with procuring the best cloud services and software for the lowest price, without the tools or resources to verify cybersecurity compliance.

While state and local governments have begun to take steps to secure their own databases, not much has been done to validate the oversight and protection of third party cloud service providers with whom they do business.

SSAE 18 (SOC 1), SOC 2, and SOC 3

The SOC 1, SOC 2, and SOC 3 attestations are globally recognized frameworks focused on Security, Availability, Privacy, Processing Integrity, Confidentiality, and Availability.

Modules include:

• AICPA SOC 1
• AICPA SOC 2 & 3

SEC, NFA & FINRA

Continuum GRC created the number one ranked IRM GRC audit software solution for SEC, NFA & FINRA audits that empowers you to prepare for a SEC, NFA & FINRA audit effectively while dramatically reducing costs in preparation for working with a third-party assessment organization.

Modules include:

• FINRA SEC Cyber Security Report Card
• FINRA - Small Firm Cybersecurity Checklist
• COSO Summary of Deficiencies
• COSO Enterprise Risk Management – Integrated Framework
• COSO Internal Control – Integrated Framework

PCI DSS QSA and SAQ

The PCI DSS certification is the only authorized compliance assessment for merchants and service providers who process credit cards. It is required for all businesses processing credit cards to be certified annually.

PCI DSS applies to all entities involved in payment card processing—including merchants, processors, acquirers, issuers, and service providers. PCI DSS also applies to all other entities that store, process or transmit cardholder data (CHD) and/or sensitive authentication data (SAD).

Modules include:

• Level 1 Merchant and Service Provider ROC and AOC
• Level 2, 3, and 4 SAQ A
• Level 2, 3, and 4 SAQ A-EP
• Level 2, 3, and 4 SAQ B
• Level 2, 3, and 4 SAQ B-IP
• Level 2, 3, and 4 SAQ C
• Level 2, 3, and 4 SAQ C-VT
• Level 2, 3, and 4 SAQ D Merchants
• Level 2, 3, and 4 SAQ D Service Providers

Level 1 Merchant

• PCI DSS RoC
  PCI DSS AoC Merchants
  PCI DSS Appendix E: Explanation of Requirements Not Tested
  PCI DSS Appendix D: Explanation of Non-Applicability
  PCI DSS Appendix C: Compensating Controls Worksheet
  PCI DSS Appendix A: Additional Requirements for Shared Hosting Providers
  PCI DSS Action Plan for Non-Compliant Requirements

Level 1 Service Provider

• PCI DSS RoC
  PCI DSS AoC Service Providers
  PCI DSS Appendix E: Explanation of Requirements Not Tested
  PCI DSS Appendix D: Explanation of Non-Applicability
  PCI DSS Appendix C: Compensating Controls Worksheet
  PCI DSS Appendix A: Additional Requirements for Shared Hosting Providers
  PCI DSS Action Plan for Non-Compliant Requirements

Level 2, 3 and 4

• SAQ A and AOC SAQ A: Card-not-present merchants (e-commerce or mail/telephone-order) that have fully outsourced all cardholder data functions to PCI DSS validated third-party service providers, with no electronic storage, processing, or transmission of any cardholder data on the merchant’s systems or premises. Not applicable to face-to-face channels.
• SAQ A-EP and AOC SAQ A-EP: E-commerce merchants who outsource all payment processing to PCI DSS validated third parties, and who have a website(s) that doesn’t directly receive cardholder data but that can impact the security of the payment transaction. No electronic storage, processing, or transmission of any cardholder data on the merchant’s systems or premises. Applicable only to e-commerce channels.
• SAQ B and AOC SAQ B: Merchants using only imprint machines with no electronic cardholder data storage; and/or standalone, dial-out terminals with no electronic cardholder data storage. Not applicable to e-commerce channels.
• SAQ B-IP and AOC SAQ B-IP: Merchants using only standalone, PTS-approved payment terminals with an IP connection to the payment processor, with no electronic cardholder data storage. Not applicable to e-commerce channels.
• SAQ C and AOC SAQ C: Merchants with payment application systems connected to the Internet, no electronic cardholder data storage. Not applicable to e-commerce channels.
• SAQ C-VT and AOC SAQ C-VT: Merchants who manually enter a single transaction at a time via a keyboard into an Internet-based virtual terminal solution that is provided and hosted by a PCI DSS validated third-party service provider. No electronic cardholder data storage. Not applicable to e-commerce channels.
• SAQ D Merchant and AOC SAQ D - Merchants: All merchants not included in descriptions for the above SAQ types.
• SAQ D Service Provider and AOC SAQ D - Service Providers AOC extra form for Service Providers - Section 2g: All service providers defined by a payment brand as eligible to complete a SAQ.

NIST Cyber Security Framework (CSF)

All businesses within the public-private sectors concerned about security will find the NIST CSF indispensable for both national and economic security. Even if you are not seeking FISMA attestation or certifications, the NIST CSF is the best place to start securing your organization.

Modules include:

• NIST CSF System Security Plan (SSP)
• NIST CSF Security Assessment Report (SAR)
• Federal Information Processing Standard (FIPS) 199 Categorization
• Plan of Action and Milestones (POA&M)

International Organization for Standardization (ISO)

Continuum GRC created the number one ranked IRM GRC audit software solution for ISO audits that empowers you to prepare for an ISO audit effectively while dramatically reducing costs in preparation for working with a third-party assessment organization.

Modules include:

• ISO 27001
• ISO 27002
• ISO 27005
• ISO 27017
• ISO 27018
• ISO 27701
• ISO 22301
• ISO 17020
• ISO 17021
• 9001
• 90003

IRS 1075

Publication 1075, Tax Information Security Guidelines for Federal, State and Local Agencies and Entities, provide very detailed audit requirements. Publication 1075 documents the managerial, operational, and technical security controls that must be implemented as a condition of receipt of FTI. IRS has mapped the IRS Publication 1075 control requirements to the National Institute of Standards and Technology (NIST) control requirements (NIST SP 800-53).

Modules include:

• Section 1.0, Introduction
• Section 2.0, Federal Tax Information and Reviews
• Section 3.0, Record Keeping Requirement
• Section 4.0, Secure Storage
• Section 5.0, Restricting Access
• Section 6.0, Other Safeguards
• Section 7.0, Reporting Requirements
• Section 8.0, Disposing of FTI
• Section 9.0, Computer System Security

HIPAA NIST 800-66

The HIPAA attestation is the only authorized compliance assessment for healthcare providers and provides the highest standard of assurances to your customers.

Buyer Beware! HITRUST is not the official standard recognized by HHS.

Modules include:

• HIPAA NIST 800-66 System Security Plan (SSP)
• HIPAA NIST 800-66 Security Assessment Report (SAR)
• HITECH – Health Information Technology for Economic and Clinical Health (HITECH) Act
• Meaningful Use Stage 1
• Meaningful Use Stage 2
• Meaningful Use Stage 3
• Federal Information Processing Standard (FIPS) 199 Categorization

[WpProQuiz 2]

FREE HIPAA Business Associate Agreement (BAA)

If you are in need of a HIPAA compliant Business Associate Agreement (BAA), we can provide one to you for free. Create an account in the ITAM IT audit software demonstration system and subscribe to the HIPAA Business Associate Contract. After answering a few simple questions you will be able to immediately download a perfectly prepared HIPAA Business Associate Agreement (BAA) that may be given to your business associates.

FDA 21 CRF 11 & Annex 11

Title 21 CFR Part 11 is the portion of the Code of Federal Regulations that provides standards determined by the Food and Drug Administration (FDA) on electronic records and electronic signatures. With electronic records widely used in the Life Sciences industry, most companies will find FDA 21 CFR Part 11 applicable.

Regulated companies with documents or records in electronic format must comply with FDA 21 CFR part 11. Part 11 pertains to pharmaceutical companies, manufacturers of medical devices, biotechnology companies, CROs, biologics developers, and other companies regulated by the FDA.

Part 11 helps companies safely maintain data securely so that it is not lost or corrupted, ensures companies are implementing systems and software correctly, makes sure there are data-trace changes, and prevents falsified records.

Modules include:

• Impact of 21 CFR Part 11 on the organization's computer systems, including Quality Management Systems
• Identification of the organization's computer systems and operating environment
• Hosting and interpretation of user interviews
• Review and consideration of organizational procedures
• Analysis of procedural documentation, validation, and audit data
• Regulatory significance of the computer systems
• Annex 11 for European Union compliance

European Union Cybersecurity Certification Scheme for Cloud Services (EUCS)

The European Union Agency for Cybersecurity, ENISA, is the Union’s agency dedicated to achieving a high common level of cybersecurity across Europe. Established in 2004 and strengthened by the EU Cybersecurity Act, the European Union Agency for Cybersecurity contributes to EU cyber policy, enhances the trustworthiness of ICT products, services and processes with cybersecurity certification schemes, cooperates with Member States and EU bodies, and helps Europe prepare for the cyber challenges of tomorrow. Through knowledge sharing, capacity building and awareness raising, the Agency works together with its key stakeholders to strengthen trust in the connected economy, to boost resilience of the Union’s infrastructure, and, ultimately, to keep Europe’s society and citizens digitally secure.

Modules include:

• EUCS CSP
• EUCS CAB
• EUCS ENISA

Defense Federal Acquisition Regulation Supplement (DFARS) and NIST 800-171

Continuum GRC is completely committed to you and your business’ Defense Federal Acquisition Regulation Supplement (DFARS) and NIST 800-171 audit success. Regardless of whether you represent the private sector or the public sector, we stand ready to partner with your organizations.

Modules include:

• DFARS NIST 800-171 System Security Plan (SSP)
• DFARS NIST 800-171 Security Assessment Report (SAR)
• Federal Information Processing Standard (FIPS) 199 Categorization
• Plan of Action and Milestones (POA&M)

Securities Exchange Commission (SEC)

The SOX attestation based on the COSO framework is the only authorized compliance assessment for SEC registered companies and provides the highest standard of assurances to your customers.

Modules include:

• Enterprise Risk Management – Integrated Framework
• Internal Control – Integrated Framework

Cybersecurity Maturity Model Certification (CMMC) 

CMMC is a program that enables DoD contracting organizations to meet and demonstrate the security requirements embedded with FISMA and the NIST publications so that an agency may conduct business with the confidence that its contract holder is meeting those requirements.

Modules include:

• Cybersecurity Maturity Model Certification (CMMC) Level 1
• Cybersecurity Maturity Model Certification (CMMC) Level 2
• Cybersecurity Maturity Model Certification (CMMC) Level 3

Criminal Justice Information Services (CJIS)

The CJIS attestation is the only authorized compliance assessment for service providers in the law enforcement industry and provides the highest standard of assurances to your customers.

Modules include:

• CJIS System Security Plan (SSP)
• CJIS Security Assessment Report (SAR)
• Plan of Action and Milestones (POA&M)
• Federal Information Processing Standard (FIPS) 199 Categorization

Cloud Computing Compliance Controls Catalog (C5)

The German Government-backed attestation scheme introduced in Germany by the Federal Office for Information Security (BSI) to help organizations demonstrate operational security against common cyber-attacks within the context of the German Government's "Security Recommendations for Cloud Providers".

Modules include:

• Cloud Computing Compliance Controls Catalog (C5)