The Skinny on IT Compliance Certifications from Hardest to Easiest

By Angela Polania

All the time, my clients ask “How much effort is required to obtain the latest/necessary IT Compliance certification?”  The IT Compliance landscape is evolving and is becoming inherently more complex and thereby more costly to maintain.  Therefore, we sliced through the minutiae and ranked in order of hardest-to-easiest to achieve compliance, things to look out for, and the latest updates.

1. FedRAMP [Top]

FedRAMP certification is by far, the hardest to achieve due to the large scope of controls, documentation requirements, required third-party assessment organization (3PAO) review as well as authorization by a government authority.  The average cost of obtaining FedRAMP certification ranges from hundreds of thousands up to a million dollars.  Any Cloud Service Providers (CSP) that holds Federal Data (e.g. AWS, Microsoft Azure, Adobe Connect, etc.) and wants to provide cloud services offerings (CSO) to the US Federal Government is required to obtain FedRAMP certification.

The things to look out for determining the scope of controls that are based on the level of impact (e.g. Low = 125 controls, moderate = 325 controls, high = 421 controls).  Also, different government agencies may have different processes for how they review authorizations and may not accept other government agencies’ authorization and require the CSP to get recertified under their specific process. Don’t forget continuous maintenance is required for this certification.

What are the latest FedRAMP updates?

In September 2020, the National Institute for Standards and Technology (NIST) published 800-53 revision #5 Security and Privacy Controls for Information Systems and Organizations.

In February 2020 – the House of Representatives passed the Federal Risk and Authorization Management Program Authorization Act of 2019 that proposes to:

  • Codify FedRAMP and provide $20 million more a year in much-needed funding to the JAB and the FedRAMP PMO to expedite their review process.
  • Also includes measures to increase the reuse authorizations (e.g. requires an agency to first check if a provider has JAB or another agency has issued a P-ATO or ATO prior to requesting authorization).

Creates the Federal Secure Cloud Advisory Committee, which would deliver an annual report to the GSA administrator and Congress that offers recommendations to improve the program.

2. HITRUST [Top]

Achieving HITRUST certification is also quite difficult due to the combination of multiple frameworks (ISO, NIST, PCI, HIPAA, and COBIT).  The average cost is hundreds of thousands of dollars to achieve full compliance. Any company that provides cloud software and services to healthcare payers (i.e. insurance companies) or very large healthcare organizations that work with the insurance companies to process their payments must receive HITRUST certification. HITRUST has the most complex set of compliance requirements and mandates a high level of control requirements.  For example, the average SOC 2 engagement averages 250 controls.  A typical HITRUST engagement may be upwards of 400+ controls. Each control must be assessed for five different maturity levels which could generate thousands of evidence files to support both the control and maturity assessments. Don’t forget HITRUST requires an annual fee to use the required “myCSF tool”.  The fee is charged based on the company’s income. NOTE: There are ways to get a cheaper 90 day trial of the tool – however, you lose your data when it expires.

What are the latest HITRUST Updates?

In June 2020, HITRUST released version 9.4 framework which incorporates the largest number of security and privacy frameworks, specifically it includes:

  • Department of Defense (DoD) Cybersecurity Maturity Model Certification (CMMC) v1.0
  • Updated NIST SP 800-171 r2 mappings to ensure continued alignment.
  • Expanded the Assess Once, Report Many™ benefits of the HITRUST Approach™.
  • Enabled HITRUST MyCSF® platform functionality to provide DoD CMMC customers the ability to select CMMC Maturity Level specific CSF requirements in support of compliance pursuits.

Like FedRAMP, HITRUST is an extensive investment that requires continuous monitoring and a lot of work to organize and maintain. Expect the next version 10 to be another overhaul with an average of 800+ controls.

3. CMMC [Top]

Achieving CMMC compliance is difficult due to the multiple frameworks involved.  The process for compliance is similar to FedRAMP.  Depending on your maturity level the readiness consulting costs could cost a few thousand dollars up to $50,000.  A typical CMMC audit ranges between $20,000 – $40,000.  All companies, including subcontractors that do business with the Defense Industrial Base (DIB) sector and the supply chain of the Department of Defense (DoD), are required to be certified to bid on a request for proposals.  CMMC compliance is not an option if you want to continue to do business with the DoD.  Contractors and sub-contractors seeking certification must meet compliance with both the NIST SP800-171 and the CMMC framework which has significantly increased the level of controls and compliance efforts. The CMMC focuses on protecting two forms of sensitive data Federal contract information (FCI) and Controlled unclassified information (CUI).  Fully safeguarding these forms of data requires an in-depth analysis of all systems.  Keep in mind, the CMMC is based on five levels of maturity – understanding and measuring each control on each level must not only be performed but documented.

What are the latest CMMC Updates?

  • On September 29, 2020, an interim rule was issued to supplement the CMMC program with the DoD Assessment Methodology. The rule will be effective as of November 30, 2020.
  • The DoD Assessment Methodology incorporates three levels: Basic, Medium, and High – which reflect the depth of assessment required by the DoD.
  • Starting November 30, 2020, contractors are required to have a current security assessment on the record before being awarded any contract.
  • The new rule also amends the Defense Federal Acquisition Regulation Supplement (DFARS) that mandates all contractors must be certified through the NIST SP800-171 DoD Assessment, before being put through the full CMMC framework.

4. PCI DSS Compliance [Top]

When compared to FedRAMP, HITRUST, or CMMC, PCI DSS compliance has a moderate level of complexity. However, achieving full compliance is not trivial. The level of compliance depends on the volume of payment data transactions processed and the requirements vary between merchants and service providers. Any organization that wants to process, store, or transmit payment card information is required to be compliant with the Payment Card Industry Data Security Standards (PCI DSS). Level 1 organizations must pass an on-site audit by an independent Quality Security Assessor (QSA) and submit a Report on Compliance (ROC). However, organizations that are Level 2 to 4 can self-assess and submit an Attestation of Compliance (AOC).

What are the latest PCI updates?

  • In 2019, the PCI SSC issued a request for comment (RFC) on the updated PCI DSS v4.0.
  • September – October 2020, an additional RFC will be issued including revisions to the original PCI DSS v4.0 and is currently planned for completion in mid-2021.
  • The transition period from PCI DSS v3.2.1 to PCI DSS v4.0 will remain active for an 18-month period.

5. SOC 2 Type II [Top]

Overall, obtaining a SOC 2 Type II report has a moderate level of difficulty.  However, the complexity depends on how many of the American Institute of Certified Public Accountants (AICPA) Trusted Service Criteria (TSC) that must be included in the SOC2 report – there are five in total.  Technology-based service organizations that process, store, report, host client information (e.g. data centers, SaaS, and other cloud service providers) typically require a SOC 2 Type II report or ISO 27001 compliance as their customers demand it as a term of doing business.  Unlike ISO 27001 and PCI, obtaining a type II report requires the examiner to obtain control operating evidence.  In fact, the word “evidence” appears 317 times in the guidance documents.  Basically, if it’s not documented, the control didn’t occur.

What are the latest SOC 2 Type II updates?

  • In 2018, the AICPA updated its SOC 2 standards and released a “how-to” guide for the examiners. Three major updates were noted:
    • Alignment with updated SSAE No. 18 (Clarified Attestation Standards). Information on requirements related to requesting written assertions and performing risk assessments is updated.
    • Updated criteria on the timing, nature, and extent of certain identified systems incidents as well as guidance on disclosures.
    • Updated Trust Services Criteria to align with the COSO 2013 framework.

6. ISO 27001 Certification [Top]

Depending on the size and complexity of the scope of management systems, achieving the ISO 27001 certification is a moderate to low-level of effort. Similar to SOC 2 Type II, technology-based service organizations that store client information in the cloud (e.g. SaaS and other cloud service providers) seek this certification. While obtaining an ISO 27001 certification is voluntary, most customers of technology-based service organizations demand it as part of the terms of doing business.  ISO/IEC 27001:2013 (ISO 27001) is an international standard and is preferred over the SOC 2 report for service providers that have global clients. Our clients typically struggle with obtaining the baseline assessment of what data needs protection and what systems and processes are involved as well as understanding how the requirements apply to the organization.

What are the latest updates to ISO 27001?

  • In 2019, ISO 27701 extended ISO 27001 that specifies standards for Privacy Information Management System (PIMS). This framework provides organizations a system to support compliance with the EU’s GDPR, California’s CCPA, and other data privacy requirements.

7. SOC 1 Type II [Top]

Just like the SOC 2 Type II report, the SOC 1 Type II level of complexity depends on whether the organization needs to certify over financial control types (e.g. payroll, medical claim processes, or loan servicers) versus just the security, availability, and confidentiality principles.  Therefore, the complexity of obtaining this report ranges from moderate to low. A SOC 1 Type II report is for any service organization that touches, stores, processes or impacts their client’s financial information (e.g. payroll processors, medical claims processors, loan servicers, as well as data center companies and Software as a Service).  Just like the SOC 2 Type II report, the SOC 1 Type II report is voluntary but usually demanded by the service organization’s customers as a term of doing business.  The Standard of Attestation Engagement (SSAE 18) drives both SOC 1 & 2 report requirements.  A type II report requires an audit period, evidence of the control and testing results are reported in both SOC 1 and 2 reports.

Latest Updates

May 2017, the SSAE 18 was issued and applied to all SOC 1 reports – no other updates to date.

8. HIPAA Compliance [Top]

The Security Rule is very light on typical IT compliance pain points like change management, patch management, system development lifecycle, etc. However, fines are very high so all healthcare providers (covered entities and business associates of all sorts) should take compliance seriously. In addition, employers and schools and that handle protected health information (PHI) should also be HIPAA compliant. The reason why HIPAA ranks the lowest in complexity compared to the other compliance frameworks is that the Security Rule misses key controls on change management, patch management, systems development life cycle. Unless these controls are picked through the Risk assessment process (which is required) they do not need to be evaluated.  Organizations that do not develop their own software (e.g. physician practices) may not need these controls.  However, organizations that develop their own software that hosts or process e-PHI, being HIPAA compliant does not require evaluating their development processes.

Latest Updates

  • While the law has been amended to deal with how healthcare organizations deal with the COVID-19 pandemic, not much has changed to the AICPA AT 105 guidance since its revision in 2015.
  • Here are some of the related COVID-19 impacts:
    • On March 17, 2020, the HHS announced that the OCR will suspend enforcement activities and waive penalties related to certain HIPAA Security Rule provisions “during the COVID-19 nationwide public health emergency.”
    • On August 24, 2020, the OCR permits covered health care providers (e.g., hospitals, pharmacies, laboratories, etc.) and health plans to contact their patients and beneficiaries who have recovered from COVID-19 to inform them about how they can donate their plasma containing antibodies (known as “convalescent plasma”) to help treat others with COVID-19.

There are plenty of other IT compliance frameworks and certifications.  However, we picked the most popular ones that we see in the IT compliance profession.

Click here to find out more about the various IT Compliance frameworks.  Elevate has deep expertise in IT Compliance and Cybersecurity best practices.  We can guide you through your compliance efforts and ensure you get the best value for your efforts and most importantly we review for Security and not just compliance. Like the saying goes Compliance does not always equal Security and Privacy but with us, we look and ensure you cover all your bases.