Compliance Questions & Answers

SOC 1,
SOC 2,
SOC 3,
Audit and
Attestation Reports

A SOC 1 Audit is focused on the internal controls related to financial reporting (ICFR). While a SOC 2 Audit is focused on information and IT security based on 5 Trust Services Principles namely Security, Confidentiality, Privacy, Processing Integrity, and Availability.

A SOC 2 Type 1 report details the suitability of the design controls of the service organization’s system. It details the system at a point in time particularly its scope, the management of the organization describing the system, and the controls in place. A SOC 2 Type 2 report is an internal controls report detailing the effectiveness of security controls and its operations that safeguards customer data over a period of time – referred to as the “reporting period.”

The SOC 3 report is a public report of internal controls of a service organization, based on the 5 TSP Security, Availability, Processing Integrity, Privacy, and Confidentiality. It details the same information as in the SOC 2 Report but is designed in a way to provide assurance of attestation but not reveal proprietary information.

SOC 1 reports and SOC 2 reports are not public or general use documents. They are for the internal use of service organization and limited in their distribution. However, the SOC 3 report can be made available to the public for providing the stakeholder the assurance about the service organizations internal controls.

ISO27001

ISO27001 is an international standard for Information Security Management. The certification ensures the effectiveness of security controls and ensures all policies are in place. It provides a framework for organizations to follow and manage their information securely.

No. Although implementing ISO 27001 standards for information security controls is considered to be the industry best practice they are not mandatory for compliance.

ISO 27001 provides a standard framework for organizations to manage their information security and risk exposure. The ISO 27001 certification works as an assurance for clients and enhances the reliability and security of systems and information.

ISO 27001 standards is a framework designed to protect the sensitive data of an organization. So, any organization that has sensitive information, can benefit from ISO 27001 Certification.

The primary difference between ISO 27001 and ISO 27002 is that ISO 27002 is designed for reference when selecting security controls within the process of implementing an Information Security Management System based on ISO 27001.
Organizations can achieve certification to ISO 27001 but not for ISO 27002.

ISO27001 Standard comprises of 114 controls divided into 14 categories.

ISO 27001 controls are divided into 14 categories which include:
Annex A.5 – Information security policies (2 controls)
Annex A.6 – Organisation of information security (7 controls)
Annex A.7 – Human resource security (6 controls)
Annex A.8 – Asset management (10 controls)
Annex A.9 – Access control (14 controls)
Annex A.10 – Cryptography (2 controls)
Annex A.11 – Physical and environmental security
Annex A.12 – Operations security (14 controls)
Annex A.13 – Communications security (7 controls)
Annex A.14 – System acquisition, development, and maintenance (13 controls)
Annex A.15 – Supplier relationships (5 controls)
Annex A.16 – Information security incident management (7 controls)
Annex A.17 – Information security aspects of business continuity management (4 controls)
Annex A.18 – Compliance (8 controls)

CMMC

The interim DFARS rule established a five-year phase-in period, during which CMMC compliance is only required in select pilot contracts, as approved by the Office of the Under Secretary of Defense for Acquisition and Sustainment (OUSD(A&S)). The Department does not intend to approve inclusion of a CMMC requirement in any contract prior to completion of the CMMC 2.0 rulemaking process. Once CMMC 2.0 is codified through rulemaking, the Department will require companies to adhere to the revised CMMC framework according to requirements set forth in regulation.

The publication of materials relating to CMMC 2.0 reflect the Department’s strategic intent with respect to the CMMC program; however, CMMC 2.0 will not be a contractual requirement until the Department completes rulemaking to implement the program. The rulemaking process and timelines can take 9-24 months. CMMC 2.0 will become a contract requirement once rulemaking is completed.

The Department values feedback from industry, Congress, and other stakeholders and received over 850 public comments in response to the interim rule establishing CMMC 1.0. These comments focused on the need to enhance CMMC by (1) reducing costs, particularly for small businesses; (2) increasing trust in the CMMC assessment ecosystem; and (3) clarifying and aligning cybersecurity requirements to other federal requirements and commonly accepted standards. CMMC 2.0 was designed to meet these goals, which also contribute toward enhancing the cybersecurity of the defense industrial base.

The Department will publish a comprehensive cost analysis associated with each level of CMMC 2.0 as part of rulemaking. Costs are projected to be significantly lower relative to CMMC 1.0 because the Department intends to (a) streamline requirements at all levels, eliminating CMMC-unique practices and maturity processes, (b) allow companies associated with the new Level 1 (Foundational) and some Level 2 (Advanced) acquisition programs to perform self-assessments rather than third-party assessments, and (c) increase oversight of the third-party assessment ecosystem.

How will my organization know what CMMC level is required for a contract? Once CMMC 2.0 is implemented, DoD will specify the required CMMC level in the solicitation and in any Requests for Information (RFIs), if utilized.

Under CMMC 2.0, the “Advanced” level (Level 2) will be equivalent to the NIST SP 800-171. The “Expert” level (Level 3), which is currently under development, will be based on a subset of NIST SP 800-172 requirements.

If contractors and subcontractors are handling the same type of FCI and CUI, then the same CMMC level will apply. In cases where the prime only flows down select information, a lower CMMC level may apply to the subcontractor.

AOnce CMMC 2.0 is implemented, self-assessments, associated with Level 1 and a subset of Level 2 programs, will be required on an annual basis. Third-party and government-led assessments, associated with some Level 2 and all Level 3 programs, will be required on a triennial basis.

Once CMMC 2.0 is fully implemented, DoD will only accept CMMC assessments provided by an authorized and accredited C3PAO or certified CMMC Assessor, and C3PAOs shall use only certified CMMC assessors for the conduct of CMMC assessments.

DoD’s intent under CMMC 2.0 is that if a DIB company does not process, store, or transmit Controlled Unclassified Information (CUI) on its unclassified network, but does process, store or handle Federal Contract Information (FCI), then it must perform a CMMC Level 1 self-assessment and submit the results with an annual affirmation by a senior company official into SPRS.

CMMC only applies to DIB contractor’s unclassified networks that process, store or transmit FCI or CUI.

Once CMMC 2.0 is fully implemented, the DoD will have access to information and data relating to a company’s assessment, to include the assessment results and final report. The DoD will store all self-assessment results on SPRS. CMMC certificates and the associated third-party assessment data will be stored in the CMMC Enterprise Mission Assurance Support Services (eMASS) database. CMMC eMASS will automatically post a copy of a company’s CMMC certificate to the Supplier Performance Risk System (SPRS). The detailed results of a CMMC assessment will not be made public.

If a company voluntarily chooses to obtain a CMMC assessment and certification from a third-party assessment organization in the absence of a contractual requirement, the company must provide written consent to allow DoD access to or use of those assessment results. If a company consents to DoD access and use of data relating to the assessment, then DoD intends to store that information on eMASS.

The CMMC assessment costs will depend upon several factors including the CMMC level, complexity of the DIB company’s unclassified network for the certification boundary, and market forces. DoD will develop a new cost estimate associated with CMMC 2.0 to account for the changes made to the program which will be published on the Federal Register as part of the rulemaking process.

A CMMC self-assessment will apply to those companies that are only required to protect the information systems on which FCI is processed, stored or transmitted; and a subset of companies that are required to protect CUI. The CMMC self-assessment should be completed using the CMMC Assessment Guide codified in 32 CFR for the appropriate CMMC level. A CMMC self-attestation is a representation that the offeror meets the requirements of the CMMC level required by the solicitation. The CMMC program will require an annual self-assessment and an annual affirmation by a senior company official.

A “Basic Assessment”, as defined in DFARS clause 252.204-7020, NIST SP 800-171 DoD Assessment Requirements, means a contractor’s self-assessment of the contractor’s implementation of NIST SP 800-171 that — Is based on the Contractor’s review of their system security plan(s) associated with covered contractor information system(s); Is conducted in accordance with the NIST SP 800-171 DoD Assessment Methodology; and Results in a confidence level of “Low” in the resulting score, because it is a self-generated score.

HIPAA

Any healthcare entity be it healthcare service providers, health planners, and healthcare clearinghouses that electronically process, store, transmit, or receives medical records, claims or remittances must comply with HIPAA law.

Any business entity that falls in the scope of HIPAA Compliance and is expected to comply with the regulations may be called as a covered entity. This would typically include healthcare providers, insurance companies, and clearinghouses.

Information that relates to the health condition of an individual and that either identifies the individual or there is a basis to believe that the information can be used to identify, locate, or contact the individual can be called as Protected Health Information.

Non-Compliance to HIPAA Regulation can result in fines up to $250,000 for violations or even imprisonment up to 10 years for knowing abuse or misuse of health information.

Any device or electronic equipment that collects, stores, or transmits PHI will fall in the scope of HIPAA. This would even include medical devices, wearable, and IoMT (Internet of Medical Things) devices that have in-built microprocessors and features WiFi/Bluetooth that can store PHI data and also transmits it to the cloud and accessed by the healthcare entity.

No. The Privacy Rule does not apply to de-identified information since it neither identifies nor provides a reasonable basis to identify an individual.

PCI DSS

A SOC 1 Audit is focused on the internal controls related to financial reporting (ICFR). While a SOC 2 Audit is focused on information and IT security based on 5 Trust Services Principles namely Security, Confidentiality, Privacy, Processing Integrity, and Availability.

PCI DSS is a data security standard, and not a regulation enforced by law. However, compliance to the standard is mandated by the contracts signed by the merchants with the card brands (Visa, MasterCard, etc.) and with the banks that handle their payment processing.

PCI non-compliance can result in penalties ranging from $5,000 to $100,000 per month by the credit card companies. The penalties levied depend on the volume of clients, the volume of transactions, the merchant level of PCI-DSS, and the time or duration for non-compliance.

An Attestation of Compliance is a document of declaration to be attached with SAQ that states the merchant’s eligibility to perform and have performed the appropriate Self-Assessment.

Generally, small merchants or service providers who are not required to provide Compliance reports but wish to demonstrate their efforts towards securing sensitive data use SAQ for validation. SAQ is a self-validation tool and a merchant’s statement of PCI Compliance. It contains a series of questions relating to the 12 requirements of the PCI DSS Compliance with options of “Yes and No” that need to be answered by the merchants. For questions that are answered as “No,” an attached remediation plan describing actions it plans to take to resolve the issue are required.

Yes. Outsourcing services or using third-party services will not exclude a company from PCI DSS compliance. Although, outsourcing to the third-party will reduce the risk exposure and consequently reduce the efforts to validate compliance. But the company cannot completely ignore PCI DSS Compliance.

Merchants who fall in the scope of PCI Compliance will most likely fall in one of the four merchant levels, based on the transaction volume over 12 months. The transaction volume is based on the aggregate number of Visa transactions which is inclusive of credit, debit, and prepaid from a merchant “Doing Business As” (DBA). In cases where a merchant has more than one DBA, Visa acquirers should consider an aggregate volume of transactions stored, processed, or transmitted to determine the validation level.

 

Level 1

Criteria:

Merchants processing more than 6 million Visa, Mastercard, or Discover transactions annually via any channel.
Merchants processing more than 2.5 million American Express transactions annually.
Merchants processing more than 1 million JCB transactions annually.
Merchants that have suffered a data breach or cyberattack resulting in cardholder data being compromised.
Merchants that have been identified by another card issuer as Level 1.

 

Level 2

Criteria:

Merchants processing between 1 million and 6 million Visa, Mastercard, or Discover transactions per year via any channel.
Merchants processing between 50,000 to 2.5 million American Express transactions annually.
Merchants processing less than 1 million JCB transactions annually.

 

Level 3

Criteria:

Merchants processing between 20,000 and 1 million Visa e-commerce transactions annually.
Merchants processing 20,000 MasterCard e-commerce transactions annually, but less than or equal to 1 million total MasterCard transactions annually.
Merchants that process 20,000 to 1 million discover card-not-present only transactions annually.
Less than 50,000 American Express transactions.

 

Level 4

Criteria:

Merchants processing less than 20,000 Visa or MasterCard e-commerce transactions annually.
All other merchants processing up to 1 million Visa or MasterCard transactions annually.

Get started today!