FedRAMP and Its Applicability to ISVs Hosted on FedRAMP-Authorized IaaS
Karen Laughton, Managing Principal, FedRAMP & Assurance Services, Coalfire
Independent Software Vendors (ISVs) often ask Coalfire about the FedRAMP compliance framework and how it applies to them. They hear that all software procured by the U.S. federal government must be FedRAMP authorized, and they come to the experts to help them navigate the process. The good news is that the FedRAMP program is not directly applicable to most ISVs. An ISV cannot get their native product listed in the FedRAMP marketplace because it is a “software,” not a “service,” and the FedRAMP program was designed for Software as a Service (SaaS), Platform as a Service (PaaS), and Infrastructure as a Service (IaaS) providers that provide multi-tenant cloud solutions to the U.S. federal government.
The HITRUST CSF 90-Day Rules – What You Need to Know
Zach Shales, Principal, Healthcare Certification, Coalfire
Earlier this year, HITRUST announced required changes, effective April 1, 2019 (applicable to all CSF assessor firms), regarding quality and consistency for validated assessments. The changes were outlined in the CSF Assurance Bulletin and included the release of the HITRUST CSF® Assessor Quality Checklist.
Successful SOC 2 Approaches to Address Fraud Risk
Demarley Holder, Principal, SOC, Coalfire
Coalfire has found that many SOC 2 clients struggle with addressing COSO Principle 8 (fraud risk considerations) because they innately think only about financial fraud risks. Many clients do not understand that fraud risks depend on the nature of the business and the environment in which the business operates and as such they do not extend their paradigm to consider non-financial fraud risks.