Can a service provider be SOC2 compliant without meeting every NIST guideline?
The short answer is yes. Although the two cybersecurity programs don’t quite compare to each other, Command Alkon chose to first align to NIST cybersecurity guidelines. Here’s the breakdown and what it means for our customers.
What is SOC2?
Service Organization Control Type 2 (SOC2 for short) was developed by the American Institute of Certified Public Accountants as a way to audit and document how well a business internally processes and stores data in the cloud. Essentially, SOC2 evaluates an organization’s information systems based on five criteria: security, availability, processing integrity, confidentiality, and privacy. To maintain compliance, organizations are independently audited each year to uphold the program’s criteria.
What is NIST CSF?
NIST, the National Institute of Standards and Technology, defines industry-agnostic cybersecurity guidelines that specify how organizations can reduce cybersecurity risks to critical infrastructure. While all US Department of Defense contractors, as well as those working with other US government agencies, must be compliant with NIST Special Publication 800-53, a voluntary publication, 800-171, applies to private-sector companies who do not handle classified information.
NIST is a structure that can be built upon to meet multiple IT compliance requirements. Neither 800-53 nor 800-171 are cybersecurity audits, like SOC2. Instead, their criteria provide industry best practices for managing cybersecurity risks in mind. This enables alignment across different compliance frameworks like SOC2. NIST criteria are designed to be scalable, making the framework itself quite malleable to an organization’s specific requirements.
Company policies and standards derived from NIST guidelines can be used to build internal controls and meet compliance requirements. For example, here’s a quote from why Bank of America also adheres to NIST guidelines:
“We incorporated the NIST Cybersecurity Framework into our annual Policy management cycle and have designed and implemented internal risk-based frameworks that align with NIST. Understanding the constantly evolving nature of data protection, we continuously monitor for emerging risks and dedicate significant resources to help ensure clients’ information is protected. We proactively look for ways to build stronger defenses, ensure every step of our technology design process takes cyber risks into consideration and integrate layers of security into everything we do. During the last four years we have not experienced any material losses or other material consequences relating to technology failure, cyber-attacks, or other information or security breaches.”
Embracing best practices
With the NIST framework in place, mapping it to the relevant Trust Services Criteria for SOC2 compliance is simply a matter of validation by an external auditor. We believe meeting all of the framework’s extensive subcategories for cybersecurity best ensures we have the most comprehensive and robust internal controls to protect our customers’ data in the cloud.
In addition, DFARS (Defense Federal Acquisition Regulations Supplement), lays out cybersecurity standards for Department of Defense contractors and their subcontractors. Knowing these standards ultimately require NIST SP 800-171 compliance also influenced Command Alkon’s decision to adhere to NIST guidelines.
Command Alkon plans to complete our SOC2 in 2024. Until we have completed the SOC2 audit, we will gladly provide our customers with our current NIST compliance documentation.