StateRAMP

StateRAMP was developed with procurement and IT officials in mind – to bridge the gap between the two offices and provide a framework of cybersecurity standards for government contractors. All too often procurement officials are challenged with procuring the best cloud services and software for the lowest price, without the tools or resources to verify cybersecurity compliance.

While state and local governments have begun to take steps to secure their own databases, not much has been done to validate the oversight and protection of third party cloud service providers with whom they do business.

SSAE 18 (SOC 1), SOC 2, and SOC 3

The SOC 1, SOC 2, and SOC 3 attestations are globally recognized frameworks focused on Security, Availability, Privacy, Processing Integrity, Confidentiality, and Availability.

Modules include:

• AICPA SOC 1
• AICPA SOC 2 & 3

PCI DSS QSA and SAQ

The PCI DSS certification is the only authorized compliance assessment for merchants and service providers who process credit cards. It is required for all businesses processing credit cards to be certified annually.

PCI DSS applies to all entities involved in payment card processing—including merchants, processors, acquirers, issuers, and service providers. PCI DSS also applies to all other entities that store, process or transmit cardholder data (CHD) and/or sensitive authentication data (SAD).

Modules include:

• Level 1 Merchant and Service Provider ROC and AOC
• Level 2, 3, and 4 SAQ A
• Level 2, 3, and 4 SAQ A-EP
• Level 2, 3, and 4 SAQ B
• Level 2, 3, and 4 SAQ B-IP
• Level 2, 3, and 4 SAQ C
• Level 2, 3, and 4 SAQ C-VT
• Level 2, 3, and 4 SAQ D Merchants
• Level 2, 3, and 4 SAQ D Service Providers

Level 1 Merchant

• PCI DSS RoC
  PCI DSS AoC Merchants
  PCI DSS Appendix E: Explanation of Requirements Not Tested
  PCI DSS Appendix D: Explanation of Non-Applicability
  PCI DSS Appendix C: Compensating Controls Worksheet
  PCI DSS Appendix A: Additional Requirements for Shared Hosting Providers
  PCI DSS Action Plan for Non-Compliant Requirements

Level 1 Service Provider

• PCI DSS RoC
  PCI DSS AoC Service Providers
  PCI DSS Appendix E: Explanation of Requirements Not Tested
  PCI DSS Appendix D: Explanation of Non-Applicability
  PCI DSS Appendix C: Compensating Controls Worksheet
  PCI DSS Appendix A: Additional Requirements for Shared Hosting Providers
  PCI DSS Action Plan for Non-Compliant Requirements

Level 2, 3 and 4

• SAQ A and AOC SAQ A: Card-not-present merchants (e-commerce or mail/telephone-order) that have fully outsourced all cardholder data functions to PCI DSS validated third-party service providers, with no electronic storage, processing, or transmission of any cardholder data on the merchant’s systems or premises. Not applicable to face-to-face channels.
• SAQ A-EP and AOC SAQ A-EP: E-commerce merchants who outsource all payment processing to PCI DSS validated third parties, and who have a website(s) that doesn’t directly receive cardholder data but that can impact the security of the payment transaction. No electronic storage, processing, or transmission of any cardholder data on the merchant’s systems or premises. Applicable only to e-commerce channels.
• SAQ B and AOC SAQ B: Merchants using only imprint machines with no electronic cardholder data storage; and/or standalone, dial-out terminals with no electronic cardholder data storage. Not applicable to e-commerce channels.
• SAQ B-IP and AOC SAQ B-IP: Merchants using only standalone, PTS-approved payment terminals with an IP connection to the payment processor, with no electronic cardholder data storage. Not applicable to e-commerce channels.
• SAQ C and AOC SAQ C: Merchants with payment application systems connected to the Internet, no electronic cardholder data storage. Not applicable to e-commerce channels.
• SAQ C-VT and AOC SAQ C-VT: Merchants who manually enter a single transaction at a time via a keyboard into an Internet-based virtual terminal solution that is provided and hosted by a PCI DSS validated third-party service provider. No electronic cardholder data storage. Not applicable to e-commerce channels.
• SAQ D Merchant and AOC SAQ D - Merchants: All merchants not included in descriptions for the above SAQ types.
• SAQ D Service Provider and AOC SAQ D - Service Providers AOC extra form for Service Providers - Section 2g: All service providers defined by a payment brand as eligible to complete a SAQ.

Cybersecurity Maturity Model Certification (CMMC) 

CMMC is a program that enables DoD contracting organizations to meet and demonstrate the security requirements embedded with FISMA and the NIST publications so that an agency may conduct business with the confidence that its contract holder is meeting those requirements.

Modules include:

• Cybersecurity Maturity Model Certification (CMMC) Level 1
• Cybersecurity Maturity Model Certification (CMMC) Level 2
• Cybersecurity Maturity Model Certification (CMMC) Level 3
• Cybersecurity Maturity Model Certification (CMMC) Level 4
• Cybersecurity Maturity Model Certification (CMMC) Level 5

International Organization for Standardization (ISO)

Continuum GRC created the number one ranked IRM GRC audit software solution for ISO audits that empowers you to prepare for an ISO audit effectively while dramatically reducing costs in preparation for working with a third-party assessment organization.

Modules include:

• ISO 27001
• ISO 27002
• ISO 27005
• ISO 27017
• ISO 27018
• ISO 17020
• ISO 17021

HIPAA NIST 800-66

The HIPAA attestation is the only authorized compliance assessment for healthcare providers and provides the highest standard of assurances to your customers.

Buyer Beware! HITRUST is not the official standard recognized by HHS.

Modules include:

• HIPAA NIST 800-66 System Security Plan (SSP)
• HIPAA NIST 800-66 Security Assessment Report (SAR)
• HITECH – Health Information Technology for Economic and Clinical Health (HITECH) Act
• Meaningful Use Stage 1
• Meaningful Use Stage 2
• Meaningful Use Stage 3
• Federal Information Processing Standard (FIPS) 199 Categorization

FREE HIPAA Business Associate Agreement (BAA)

If you are in need of a HIPAA compliant Business Associate Agreement (BAA), we can provide one to you for free. Create an account in the ITAM IT audit software demonstration system and subscribe to the HIPAA Business Associate Contract. After answering a few simple questions you will be able to immediately download a perfectly prepared HIPAA Business Associate Agreement (BAA) that may be given to your business associates.

Criminal Justice Information Services (CJIS)

The CJIS attestation is the only authorized compliance assessment for service providers in the law enforcement industry and provides the highest standard of assurances to your customers.

Modules include:

• CJIS System Security Plan (SSP)
• CJIS Security Assessment Report (SAR)
• Plan of Action and Milestones (POA&M)
• Federal Information Processing Standard (FIPS) 199 Categorization

Defense Federal Acquisition Regulation Supplement (DFARS) and NIST 800-171

Continuum GRC is completely committed to you and your business’ Defense Federal Acquisition Regulation Supplement (DFARS) and NIST 800-171 audit success. Regardless of whether you represent the private sector or the public sector, we stand ready to partner with your organizations.

Modules include:

• DFARS NIST 800-171 System Security Plan (SSP)
• DFARS NIST 800-171 Security Assessment Report (SAR)
• Federal Information Processing Standard (FIPS) 199 Categorization
• Plan of Action and Milestones (POA&M)

Cloud Computing Compliance Controls Catalog (C5)

The German Government-backed attestation scheme introduced in Germany by the Federal Office for Information Security (BSI) to help organizations demonstrate operational security against common cyber-attacks within the context of the German Government's "Security Recommendations for Cloud Providers".

Modules include:

• Cloud Computing Compliance Controls Catalog (C5)

NERC CIP & 693

Continuum GRC created the number one ranked IRM GRC audit software solution for NERC CIP audits that empowers you to prepare for a NERC CIP audit effectively while dramatically reducing costs in preparation for working with a third-party assessment organization.

Modules include:

• NERC CIP-004: Personnel and Training
• NERC CIP-006: Physical Security of Critical Cyber Assets
• NERC CIP-010: Configuration Change Management and Vulnerability Assessment

Securities Exchange Commission (SEC)

The SOX attestation based on the COSO framework is the only authorized compliance assessment for SEC registered companies and provides the highest standard of assurances to your customers.

Modules include:

• Enterprise Risk Management – Integrated Framework
• Internal Control – Integrated Framework

NIST Cyber Security Framework (CSF)

All businesses within the public-private sectors concerned about security will find the NIST CSF indispensable for both national and economic security. Even if you are not seeking FISMA attestation or certifications, the NIST CSF is the best place to start securing your organization.

Modules include:

• NIST CSF System Security Plan (SSP)
• NIST CSF Security Assessment Report (SAR)
• Federal Information Processing Standard (FIPS) 199 Categorization
• Plan of Action and Milestones (POA&M)

SEC, NFA & FINRA

Continuum GRC created the number one ranked IRM GRC audit software solution for SEC, NFA & FINRA audits that empowers you to prepare for a SEC, NFA & FINRA audit effectively while dramatically reducing costs in preparation for working with a third-party assessment organization.

Modules include:

• FINRA SEC Cyber Security Report Card
• FINRA - Small Firm Cybersecurity Checklist
• COSO Summary of Deficiencies
• COSO Enterprise Risk Management – Integrated Framework
• COSO Internal Control – Integrated Framework