• FedRAMP and Its Applicability to ISVs Hosted on FedRAMP-Authorized IaaS

    Karen Laughton, Managing Principal, FedRAMP & Assurance Services, Coalfire

    Independent Software Vendors (ISVs) often ask Coalfire about the FedRAMP compliance framework and how it applies to them. They hear that all software procured by the U.S. federal government must be FedRAMP authorized, and they come to the experts to help them navigate the process. The good news is that the FedRAMP program is not directly applicable to most ISVs. An ISV cannot get their native product listed in the FedRAMP marketplace because it is a “software,” not a “service,” and the FedRAMP program was designed for Software as a Service (SaaS), Platform as a Service (PaaS), and Infrastructure as a Service (IaaS) providers that provide multi-tenant cloud solutions to the U.S. federal government. 

    Read more
  • The HITRUST CSF 90-Day Rules – What You Need to Know

    Zach Shales, Senior Director, Cloud Infrastructure, Coalfire

    Earlier this year, HITRUST announced required changes, effective April 1, 2019 (applicable to all CSF assessor firms), regarding quality and consistency for validated assessments. The changes were outlined in the CSF Assurance Bulletin and included the release of the HITRUST CSF® Assessor Quality Checklist.

    Read more
  • Successful SOC 2 Approaches to Address Fraud Risk

    Demarley Holder, Principal, SOC, Coalfire

    Coalfire has found that many SOC 2 clients struggle with addressing COSO Principle 8 (fraud risk considerations) because they innately think only about financial fraud risks. Many clients do not understand that fraud risks depend on the nature of the business and the environment in which the business operates and as such they do not extend their paradigm to consider non-financial fraud risks.

    Read more
Top