The Main Types of Security Policies in Cybersecurity

In 2020, security breaches cost businesses an average of $3.86 million, but the cost of individual incidents varied significantly. The main factor in the cost variance was cybersecurity policies and how well they were implemented. Cost mitigating factors include security best practices such as encryption and vulnerability testing, but board involvement in creating and enforcing security policies also had a substantial impact. 

Organizational security starts at the top, with clearly defined information security policies that influence how the organization as a whole prioritizes security, implements security best practices, and responds to threats. 

Read more

The 5 Components of Risk Management

Every business must contend with risks, some chosen deliberately and others an inherent part of the environment in which the business operates. Founding a business, launching products onto the market, employing people, collecting data, building systems—these are all essential to growing a successful business. They are also all sources of risk. 

But a business doesn’t thrive for long if it fails to balance risk-taking with risk mitigation. That’s the role of risk management. 

Read more

PCI DSS Compliance: What Do SAQ, AoC, and RoC Mean?

The Payment Card Industry Data Security Standard, or PCI DSS, was established as a standard security requirement for all entities that store, process, or transmit cardholder data. PCI DSS compliance helps to demonstrate your security commitment and assure your clients that their cardholder data is protected. When you engage in a PCI DSS audit, you’re testing your organization’s systems and processes against 12 technical and operational requirements made up of nearly 400 individual controls established by the PCI Security Standards Council to protect cardholder data.

There are three parts to a PCI DSS audit and the merchant level of your organization plays a part in determining what you need from a PCI DSS audit. Let’s take a look at the distinctions between a PCI DSS Self-Assessment Questionnaire (SAQ), Attestation of Compliance (AoC), and Report on Compliance (RoC).

What is a PCI SAQ?

The PCI Self-Assessment Questionnaire is a tool used to document an organization’s self-assessment of their security practices concerning cardholder data. There are nine different SAQ types which apply variably to different organizations depending on how they process, handle, and store cardholder data, including:

  1. SAQ A
  2. SAQ A-EP
  3. SAQ B
  4. SAQ B-IP
  5. SAQ C-VT
  6. SAQ C
  7. SAQ P2PE-HW
  8. SAQ D for Merchants
  9. SAQ D for Service Providers

These questionnaires help to determine which PCI DSS compliance requirements apply to your organization and how your current systems align with those security requirements. Although each of the SAQ types have different goals, your organization can evaluate which applies best to you so that you can obtain an AoC.

At KirkpatrickPrice, we offer guidance to help your organization work through your SAQ and ensure all of your yes/no answers are accurate according to your security systems. Even with a self-assessment, you’re not alone!

What is a PCI AoC?

The PCI Attestation of Compliance (AoC) is just that, an attestation completed by a Qualified Security Assessor (QSA) that states an organization’s PCI DSS compliance status. An AoC is documented evidence that an organization has upheld security best practices to protect cardholder data. Basically, an AoC is a written representation that your organization has completed the applicable SAQ and been verified by a QSA.

If your organization is a merchant, the requirements for a SAQ, AoC, and RoC vary depending on your PCI level of compliance. We’ve written an introduction on the 4 PCI merchant levels for you to refer to when determining your own level of compliance. Similarly to the SAQ, there are different versions of the AoC which coincide with the versioning for the SAQ. Whichever version of the SAQ your organization completes, the same version can be determined useful for your AoC.

What is a PCI RoC?

A PCI Report on Compliance (RoC) is issued by a QSA and details an organization’s security posture, environment, systems, and protection of cardholder data. The RoC is developed through a thorough assessment completed by a QSA that includes an onsite audit and review of controls. After an auditor tests your controls and obtains documentation of your processes, a summary of findings is developed which culminates in a final RoC.

Every RoC is organized according to the PCI Security Standards Council’s specifications for a qualified RoC which is derived from the RoC Reporting Template provided to all QSAs. The standardization of reporting allows your organization to provide every stakeholder, client, or interested party with a clear representation of your status on PCI compliance.

If you’re overwhelmed or confused by the PCI audit process, KirkpatrickPrice experts are here to help! Whatever your PCI objectives are, we want to partner with you to help you achieve your compliance goals. Call us today  to talk with an expert and start your PCI compliance journey.

Using NIST 800-53 vs. NIST 800-171 in a FISMA Audit

When any organization engages in a FISMA audit, their information systems are organized according to FIPS 199 and FIPS 200 to determine security categories and impact levels. Then, those systems are tested against a tailored set of baseline security controls. Depending on whether an organization is a federal agency or a private sector entity, different NIST publications of security controls may apply to the FISMA audit. How can you determine whether your organization should use NIST SP 800-53 or NIST SP 800-171 security controls? Let’s dive into what applies to your organization and what doesn’t.

What is a FISMA Compliance Audit?

First, what is the Federal Information Security Management Act, or FISMA, and what does a FISMA audit accomplish? FISMA is United States legislation intended to protect the security, confidentiality, and integrity of government data systems. A FISMA audit is a test of an organization’s system against the controls outlined in various NIST publications such as NIST SP 800-53, NIST SP 800-171, FIPS 199, and FIPS 200.

FISMA was developed to protect against unauthorized access, use, disclosure, disruption, modification, or destruction of government information and assets. When you choose to engage in a FISMA audit, you can expect to receive a report on their controls which can then be used to certify your organization when an Authorization to Operate (ATO) is signed by a federal agency.

NIST SP 800-53 in a FISMA Audit

NIST SP 800-53, Security and Privacy Controls for Federal Information Systems and Organizations, is the guideline established for federal agencies to uphold regulatory requirements regarding the management of their information security systems. Federal agencies categorize their security systems according to the NIST compliance levels: low, moderate, and high. NIST SP 800-53 security controls are classified into 18 control families, which help federal agencies determine the organizational impact and risk of their systems:

  1. Access Control
  2. Audit and Accountability
  3. Awareness and Training
  4. Configuration Management
  5. Contingency Planning
  6. Identification and Authentication
  7. Incident Response
  8. Maintenance
  9. Media Protection
  10. Personnel Security
  11. Physical and Environmental Protection
  12. Planning
  13. Program Management
  14. Risk Assessment
  15. Security Assessment and Authorization
  16. System and Communications Protection
  17. System and Information Integrity
  18. System and Services Acquisition

When you engage in a FISMA audit with NIST SP 800-53 controls, you are testing your information security systems against compliance standards for federal agencies in an effort to better your information security and risk management practices.

NIST SP 800-171 in a FISMA Audit

While federal agencies test their systems against NIST SP 800-53 controls, non-federal agencies that work with government entities can comply with FISMA by testing their systems against NIST SP 800-171 security controls. Controlled Unclassified Information, or CUI, is governed by NIST SP 800-171, so any organization handling CUI should use the NIST SP 800-171 standard to ensure their security systems are measuring up to security guidelines. The goal of NIST SP 800-171 is to protect unclassified information that isn’t considered part of federal information systems against unauthorized access, harm, or mishandling. NIST SP 800-171 controls are also categorized into families, but only in 14 categories:

  1. Access Control
  2. Audit and Accountability
  3. Awareness and Training
  4. Configuration Management
  5. Identification and Authentication
  6. Incident Response
  7. Maintenance
  8. Media Protection
  9. Personnel Security
  10. Physical Protection
  11. Risk Assessment
  12. Security Assessment
  13. System and Communications Protection
  14. System and Information Integrity

If your organization handles CUI, engaging in a FISMA audit with NIST 800-171 controls can benefit your information systems, the categorization of your security practices, and opportunities for your organization to conduct businesses with federal agencies.

At KirkpatrickPrice, we mold our audit process to fit your needs, whether that includes testing against NIST 800-53 controls or NIST 800-171 controls in a FISMA audit. With KirkpatrickPrice as your audit partner, you can get help from start to finish to determine what security testing will benefit your compliance goals. Contact us, today, to get help with your FISMA audit process!

More FISMA Compliance Resources


FISMA and FedRAMP audits are often confused because both involve compliance around government data. But, when you dive into the details of each audit, you’ll recognize the differences are stark. Let’s talk through each of these compliance audits and how you can tell them apart from one another.

What is FISMA?

The Federal Information Security Modernization Act, or FISMA, is U.S. legislation that requires government agencies to meet a standard of processes and system controls that protects the confidentiality, integrity, and availability of their systems. The implementation of these processes must align with the NIST standards such as NIST SP 800-53, NIST SP 800-171,  FIPS 199, and FIPS 200. All government agencies and their contractors are required to implement an information security program that complies with these established NIST standards under FISMA.

What is FedRAMP?

The Federal Risk and Authorization Management Program, or FedRAMP, standardizes the security practices of cloud solutions to comply with information security best practices. The goal of this audit is to provide a standard that cloud service providers (rather than government agencies) can check against to ensure their security practices measure up to governmental security needs. Continuous monitoring and automation are a focus of FedRAMP in an effort to increase cloud security and protection of government data for cloud service providers.

Comparing FISMA and FedRAMP

When you’re deciding which framework best fits your organization, it’s easy to get lost in the security talk. To help you determine whether you should engage in a FISMA or FedRAMP audit, we put together the most important differences between the two audits:

Who Needs ItAll government agencies, departments, and vendorsCloud service providers that host and protect government data
Who Can Perform the AuditAny third party security assessorA certified Third Party Assessment Organization (3PAO)
Number of Controls in Each of the Three Compliance LevelsLow: 124

Medium: 261

High: 343

Low: 125

Medium: 326

High: 421

Authorization ProcessAnnual reviews of reporting and current information security program“Do Once, Use Many Times” authorization by the government which is then reviewed by agencies

If you’re a cloud service provider focused on compliance for protecting government data, there’s a chance you’d benefit from both a FISMA and FedRAMP audit. Upon receiving a FISMA or FedRAMP certification, cloud service providers must obtain and maintain an Authority to Operate, or ATO, from a federal agency. Both FISMA and FedRAMP have different ATO variations – JAB P-ATO and FedRAMP ATO – which are required by federal agencies to engage in business with vendors.

These differences and complexities can seem overwhelming, but they don’t have to stop you from starting your compliance journey. At KirkpatrickPrice, we partner with you to ensure the scope of your engagement and audit framework align with your compliance goals. Contact us, today, to learn more about FISMA or FedRAMP and how we can help you start your audit journey.

More FISMA Compliance Resources