MSP Compliance Frameworks

The Criminal Justice Information Services Security Policy (CJIS) is a set of security standards created by the FBI. CJIS provides the structure needed to handle sensitive criminal justice information. This policy is mandatory for law enforcement agencies, courts, correctional facilities, and any third-party entities that access, store, or transmit this type of data. MSPs must provide a compliance management tool to support clients in these sectors. 

FedRAMP® was launched in 2011 to provide a cost-effective and risk-focused model for the federal government's use of cloud technology. This program is essential for government operations as it ensures that cloud technologies are implemented securely and efficiently using cybersecurity compliance automation software.

The NIST AI Risk Management Framework (AI RMF) is designed to manage risks associated with using artificial intelligence and improve trustworthiness in AI systems' design, development, and deployment. IT risk management around AI is vital for organizations as it offers structured guidance on integrating trustworthiness into AI operations, supporting broad AI risk management efforts through a collaborative and consensus-driven approach.

Updated in 2024, the National Institute of Standards and Technology (NIST) Cybersecurity 2.0 Framework is a comprehensive — yet flexible — set of standards, guidelines, and best practices. It is meant to be implemented alongside existing security processes and compliance management tools in any industry.

NIST SP 800-161r1 integrates supply chain risk management into broader risk management activities, focusing on risk assessment, supplier relationships, and incident response. It is a critical guide for organizations seeking to secure their supply chains, enhance visibility, and maintain trust with suppliers.

NIST SP 800-171 R3 provides organizations with security requirements for safeguarding Controlled Unclassified Information (CUI) in nonfederal systems. This framework covers access control, incident response, and system integrity, making it an essential tool for organizations that handle CUI.

NIST created the Privacy Framework as a voluntary framework designed to help organizations protect individuals' privacy while creating innovative products and services. This gives organizations the compliance tools they need to better identify and manage potential privacy-related risks.

Developed by The American Institute of Certified Public Accountants (AICPA), SOC 1 reports address a service organization’s financial controls. Type I is a snapshot of controls at a specific point in time, while Type II reports on controls over a defined period. The framework outlines five objectives that organizations must address: control environment, risk assessment, control activities, information and communication, and monitoring.

The U.S. Department of Defense’s Cybersecurity Maturity Model Certification (CMMC) was introduced to ensure that all defense contractors use security protocols to protect sensitive defense information. Companies responsible for handling Controlled Unclassified Information (CUI) or Federal Contract Information (FCI) must meet the CMMC compliance requirements.

The Cybersecurity Assessment Tool helps financial institutions recognize potential risks and determine their cybersecurity preparedness. Developed by the Federal Financial Institutions Examination Council with ideas from the FFIEC Information Technology Examination Handbook, NIST Cybersecurity Framework, and industry-established best practices, this comprehensive framework is an essential MSP IT service in the financial sector.

The FTC Safeguards Rule ensures that entities covered by the Rule maintain safeguards to protect customer information. It applies to financial institutions subject to the FTC’s jurisdiction that aren’t subject to the enforcement authority of another regulator under section 505 of the Gramm-Leach-Bliley Act, 15 U.S.C. § 6805.

HIPAA stands for the Health Insurance Portability and Accountability Act of 1996. It’s a federal standard for protected health information (PHI). Regulated by the Office for Civil Rights, HIPAA outlines the permissible use and disclosure of PHI in the USA as set forth by HHS guidelines.

Minimum Acceptable Risk Standards (MARS) are designed to ensure the availability, confidentiality, and integrity of protected health information (PHI), personally identifiable information (PII), and federal tax information (FTI). The Centers for Medicare and Medicaid Services developed the standards based on the National Institute of Standards and Technology (NIST) Special Publication 800-53.

The Consumer Privacy Act of 2018 (CCPA) legislation grants Californian consumers more control over the personal information businesses collect from them. The CCPA provides directions on how organizations can comply with the law. Legal obligations include handling consumer rights requests and providing customers with necessary notices related to their privacy policies. Compliance MSPs must be aware of these state-specific regulations and privacy laws. 

The NYDFS Cybersecurity Regulation (23 NYCRR 500) is a comprehensive set of requirements for financial institutions operating under the New York State Department of Financial Services (NYDFS) jurisdiction. It covers organizations such as banks, insurance companies, credit unions, and their third-party service providers, aiming to safeguard sensitive financial data. MSP IT Services must reflect the local requirements for financial institutions in New York. 

TX-RAMP (Texas Department of Information Resources program) is a data security certification requirement for cloud computing services supported by compliance monitoring tools. It provides "a standardized approach for security assessment, authorization, and continuous monitoring of cloud computing services that process the data of a state agency."