supernav-icon

Contact Sales

HomeBlogNew Frameworks: CCPA, ISO 27701, & More

New Frameworks: CCPA, ISO 27701, & More

We've added frameworks to the Drata platform including CCPA, ISO 27701, Microsoft SSPA, NIST CSF, NIST 800-171, NIST 800-53, CMMC, and FFIEC.
Drata Icon Blue BG Circle Crop

by Drata

May 24, 2022
Frameworks-Blog-Image-1200-x-628@2x-1-2048x1072
Share

Twitter

Facebook

Linkedin

Email

Contents
CCPAISO 27701Microsoft SSPANIST CSFNIST SP 800-171NIST 800-53CMMCFFIECAdditional Key Features

Security requirements are always evolving and it’s of the utmost importance that we’re equipped to handle those changes for our customers. Our team has been hard at work to expand the available frameworks on the Drata platform. Today we are launching our largest number yet—eight new frameworks! 

Our VP of Product, Brian Elmi, said it best, “Compliance has always been integral to a strong security posture, but it’s quickly becoming mandatory for companies responsible for managing and protecting all sorts of data. This launch marks Drata’s biggest expansion yet, and it’s a reflection of how quickly we’re committed to innovating in order to meet customer needs in real time.”

Read more to learn about each framework we’re launching and if it’s one your company is (or should be!) working towards.

CCPA

The California Consumer Privacy Act, or CCPA, is known for giving consumers a range of rights over their own personal information and how it’s shared with businesses. 

CCPA ensures that consumers have the right to:

  • Know about the personal information (PI) that a business collects about them and how, why, and who it’s shared with. 

  • Delete PI that has been collected from them (there are exceptions to this provision). 

  • Opt-out of the sale of their PI.

  • Not experience discrimination in the exercise of CCPA rights.

You must be CCPA compliant if you do business in California and:

  • Have a gross annual revenue of over $25 million.

  • Buy, receive, or sell the personal information of 50,000 or more California residents, households, or devices.

  • Derive 50% or more of your annual revenue from selling California residents’ personal information.

Although companies that are GDPR compliant may have an advantage on complying with CCPA, it’s important to note the key differences between the two regulations before making assumptions. 

When trying to manage multiple frameworks, your company needs an efficient way to handle data crossover. Drata has automation capabilities for the overlapping controls with other frameworks like GDPR and CCPA. With control mapping and the Dratameter, your company will be able to visualize framework progress with ease.

ISO 27701

ISO 27701 provides specific requirements and directives for establishing, implementing, and continually maintaining a Privacy Information Management System (PIMS). It expands on the Information Security Management System (ISMS) contained in ISO 27001 to cover the privacy protections required for processing Personally Identifiable Information (PII). 

It was created to provide an international standard for data privacy controls that when coupled with a framework like ISO 27001 and its ISMS, allows organizations to establish secure privacy data management. 

Similar to ISO 27001, ISO 27701 is for private, public, and government organizations that need to take a risk-based approach to processing and storing PII. It’s key to note that an ISO 27701 certification is only available as an extension of an ISO 27001 certification; it cannot be obtained on its own.

Having both ISO 27001 and ISO 27701 certifications means that a data privacy management system is in place. This sets up companies and organizations to ensure compliance with additional data privacy frameworks like CCPA and GDPR.

Companies that are building an advanced security posture from starter frameworks, like ISO 277001 after ISO 27001, can benefit from Drata—a compliance platform with custom control options. With ISO 27701 being a requirement-only framework, Drata makes it simple to manually map framework requirements and our team of past auditors is always available to help you navigate more advanced compliance requirements.

Microsoft SSPA

Microsoft Supplier Security and Privacy Assurance (SSPA) is a corporate program used to render Microsoft’s data processing instructions to their suppliers in the form of the Microsoft Supplier Data Protection Requirements. SSPA works to build compliance with an annual audit cycle.

Any vendor that processes what Microsoft considers as Microsoft Personal Data or Microsoft Confidential Data must be SSPA compliant. 

Microsoft Personal Data includes:

  • Sensitive data (government identifiers, location data, health data, ethnic origin, etc.)

  • Customer content data

  • Captured and generated data

  • Account data

  • End-user pseudonymized information (Identifiers created by Microsoft to identify users of Microsoft products and services)

Microsoft Confidential Data consists of two types, Highly Confidential and Confidential. Highly Confidential Data would include information such as pre-release device marketing materials or unannounced corporate financial data. Confidential Data is considered to be information like documentation for any Microsoft services or products and Microsoft product license keys.

Unlike GDPR or CCPA, this framework is not a law created by a governing body but a requirement by Microsoft from suppliers that process any of the above information. However, if your company is ISO 27001 and ISO 27701 compliant, due to the nature of the data privacy management controls, you may also be on your way to Microsoft SSPA compliance.

As suppliers of Microsoft, many companies that must comply with Microsoft SSPA also use an impressive tech stack. With over 75 app integrations, Drata is ready to seamlessly integrate into your existing tech stack. Read more about how Drata’s integrations can help grow your compliance program.

NIST CSF

The National Institute of Standards and Technology is a non-regulatory agency connected with the United States Department of Commerce. They have established the NIST Framework for Improving Critical Infrastructure Cybersecurity or the NIST Cybersecurity Framework (NIST CSF).

NIST CSF organizes basic cybersecurity activities at their highest level that are known as the following functions:

  • Identify

  • Protect

  • Detect

  • Respond

  • Recovery

Each of these functions help agencies manage cybersecurity risks by organizing information, enabling risk management decisions, addressing threats, and learning from previous activities.

NIST CSF compliance is not required by law for all companies in the United States, however, it’s mandatory for all government agencies and their contractors. If your company does business with a government agency—in any capacity—you likely must maintain NIST CSF compliance.

NIST CSF is the foundational framework for a number of others, including NIST SP 800-171 and NIST 800-53. Whether your company has an established security program or is just starting out, Drata’s dedicated team of trusted compliance advisors will guide you through achieving NIST CSF compliance.

NIST SP 800-171

The NIST SP 800-171 or NIST 800-171 is a National Institute of Standards and Technology Special Publication that provides recommended requirements for managing the confidentiality of controlled unclassified information or CUI. This framework is more specific than NIST CSF as it specifically pertains to contractors of U.S. government agencies. Companies that store or process sensitive information that is considered unclassified on behalf of the U.S. government must comply with NIST 800-171.

Organizations that work with U.S. government agencies and may need to be NIST 800-171 compliant include:

  • University or college research departments that use federal data or information.

  • Healthcare data processors.

  • Defense contractors.

  • Research institutes that receive federal funding or grants.

  • Web or communication service providers.

There are 110 security requirements that must be met to be NIST 800-171 compliant. These 110 requirements are grouped into 14 requirement families best related to that security topic. 

Some of these requirement families overlap with the categories of the NIST CSF functions. If your organization is already NIST CSF compliant, you are likely close to achieving NIST 800-171 compliance as well. With the ability to monitor all of your controls in real-time, Drata gives you all the information you need to make any fixes in one easy view.

NIST 800-53

NIST 800-53 is an additional framework created by the National Institute of Standards and Technology to address the increasing technological capabilities of national adversaries. This framework contains control overlaps with NIST CSF and NIST 800-171. 

As with the other NIST frameworks, government agencies and contractors that work with U.S. agencies must comply with these standards.

NIST 800-53 is designed to improve the risk management systems in place for any agency or organization that processes, transmits, or stores information. There are over 900 controls that NIST 800-53 includes leaving organizations to choose the controls that best fit their risk level. 

With NIST 800-53 containing so many controls to choose from, it’s crucial to select a compliance platform that allows manual control mapping and provides custom control options. 

CMMC

Cybersecurity Maturity Model Certification (CMMC) is a certification for all Department of Defense (DoD) contractors and subcontractors to ensure that their systems are meeting security requirements for safeguarding  controlled unclassified information (CUI).

Companies that are working with the DoD must build a security program that’s compliant with the applicable CMMC level they are working to achieve. Contractors who do not handle information deemed critical to national security (Level 1 and a subset of Level 2) will be required to perform annual self-assessments. Contractors managing information critical to national security (a subset of Level 2) will be required to undergo third-party assessments performed by a CMMC Certified Third Party Assessor Organization. The highest priority, most critical defense programs (Level 3) will require government-led assessments.

 The levels essentially determine the type of information contractors are able to work with given how fortified their security program is. For instance, Level 1 consists of foundational security hygiene while Level 3 requires organizations to have proactive methods in place to detect and mitigate threats prior to them happening. All of the levels build upon one another to achieve the next level. 

Whether you’re looking to obtain a Level 1 or Level 2 certification, Drata gives you the ability to map the controls you need to achieve, monitor, and maintain compliance. Instead of jumping from tool to tool to manage multiple frameworks and regulations, you’ll have a central location with a robust, real-time view of your security posture.

FFIEC

The Federal Financial Institutions Examination Council is responsible for constructing guidelines and practices for financial institutions. 

The FFIEC provides a set of technology standards for online banking that financial institutions must follow. It consists of two parts: Inherent Risk Profile and Cybersecurity Maturity. Cybersecurity Maturity covers five domains:

  • Cyber Risk Management and Oversight

  • Threat Intelligence and Collaboration

  • Cybersecurity Controls

  • External Dependency Management

  • Cyber Incident Management and Response

Any federally supervised financial institution including their holding organizations and subsidiaries, must comply with these FFIEC regulations or potentially face massive fines. 

Within Drata you’ll be able to map FFIEC controls and customize the platform to fit your needs—helping you reach and maintain compliance. Monitor FFIEC and over a dozen more frameworks in a single location. So whether you’re building a more mature security program or trying to lessen the workload on your team, Drata has the tools to achieve both. 

Additional Key Features

Alongside these newly launched frameworks, Drata customers also benefit from many other features including:

  • Dedicated customer success agents to ensure audit readiness.

  • Over 75 integrations to merge seamlessly with your tech stack.

  • A customizable platform to fit your specific compliance needs.

  • A new framework dashboard to easily visualize your framework readiness with our Dratameter.

Whether you’re preparing to build your security program from scratch or optimize it to the highest level, Drata is the compliance automation platform that will save your team hundreds of hours of evidence collection and strengthen your security posture. Schedule a time to talk with our team to be audit-ready at all times.

Trusted Newsletter
Resources for you
Harnessing AI in Cybersecurity Compliance Auditing A Strategic Imperative

Harnessing AI in Cybersecurity Compliance Auditing: A Strategic Imperative

New Launches From Drataverse

New Launches From Drataverse: Chart Your Course

Highlights From Drataverse: Chart Your Course

Highlights From Drataverse: Chart Your Course

Drata Icon Blue BG Circle Crop
Drata
Related Resources
DDRR Recap
One Complete Solution

Product Updates

A Recap of Drataverse Digital: Risk and Reward

SentinelOne + HRIS
One Complete Solution

Product Updates

Reduce Manual Workload With SentinelOne and 23 New Deep HRIS Integrations

NIST AI RMF
One Complete Solution

Product Updates

Drata's New NIST AI RMF: A Game-Changer for AI Risk Management

TPRM (1)
One Complete Solution

Product Updates

Unveiling Third-Party Risk Management (TPRM): A Future-Proof Approach to Risk

Drata is a security and compliance automation platform that continuously monitors and collects evidence of a company’s security controls, while streamlining workflows to ensure audit-readiness.

Solutions

StartupScaleEnhanceDrata PlatformIntegrations
Frameworks
SOC 2ISO 27001HIPAAGDPRNIST AI Risk ManagementFedRAMPCustom FrameworksAll Frameworks
Resources
BlogEventsWebinarsReportsSOC 2 HubISO 27001 HubProduct UpdatesCompliance GlossaryAPI Documentation
Company
Careers
HIRING
CustomersAuditorsPartnersPressContact UsLegal
Trust

Security and Compliance

Trust CenterSystem Status
Become a Trusted Newsletter Insider

The latest security and compliance news, delivered.

© 2024 Drata Inc. All rights reserved.

Privacy NoticeLegal