Can a service provider be SOC2 compliant without meeting every NIST guideline?
The short answer is yes. Although the two cybersecurity programs don’t quite compare to each other, Command Alkon chose to first align to NIST cybersecurity guidelines. Here’s the breakdown and what it means for our customers.
What is SOC2?
As part of our continued commitment to provide materials producers and suppliers with safe and resilient solutions, Command Alkon’s cloud-focused products are compliant with both SOC1 and SOC2 certifications. Established by the American Institute of Certified Public Accountants, SOC reports are particularly important for technology providers that handle sensitive data or provide compliance-related services. While SOC2 Type 1 verifies that necessary security controls exist and are appropriately designed to meet standardized criteria, Type 2 assesses the operating effectiveness of those controls.
What is NIST CSF?
NIST, the National Institute of Standards and Technology, defines industry-agnostic cybersecurity guidelines that specify how organizations can reduce cybersecurity risks to critical infrastructure. While all US Department of Defense contractors, as well as those working with other US government agencies, must be compliant with NIST Special Publication 800-53, a voluntary publication, 800-171, applies to private-sector companies who do not handle classified information.
NIST is a structure that can be built upon to meet multiple IT compliance requirements. Neither 800-53 nor 800-171 are cybersecurity audits, like SOC2 for example. Instead, their criteria provide industry best practices for managing cybersecurity risks in mind. This enables alignment across different compliance frameworks like SOC. NIST criteria are designed to be scalable, making the framework itself quite malleable to an organization’s specific requirements.
Embracing best practices
With the NIST framework in place, mapping it to the relevant Trust Services Criteria for SOC2 compliance is simply a matter of validation by an external auditor. We believe meeting all of the framework’s extensive subcategories for cybersecurity best ensures we have the most comprehensive and robust internal controls to protect our customers’ data in the cloud.
Company policies and standards derived from NIST guidelines can be used to build internal controls and meet compliance requirements. For example, here’s a quote from why Bank of America also adheres to NIST guidelines:
“We incorporated the NIST Cybersecurity Framework into our annual Policy management cycle and have designed and implemented internal risk-based frameworks that align with NIST. Understanding the constantly evolving nature of data protection, we continuously monitor for emerging risks and dedicate significant resources to help ensure clients’ information is protected. We proactively look for ways to build stronger defenses, ensure every step of our technology design process takes cyber risks into consideration and integrate layers of security into everything we do. During the last four years we have not experienced any material losses or other material consequences relating to technology failure, cyber-attacks, or other information or security breaches.”
Our team takes pride in ensuring Command Alkon’s cloud-focused products are SOC2-compliant (Types 1 & 2). Even with this third-party credidation, we believe the “extra” steps that come with NIST adhenerence are worth it for customers.