Tag Archives: Compliance frameworks

Why Should You Care About Your Compliance Posture?

Findings explains why businesses should care about their compliance postures.

In general, compliance means following rules made by an authority body. In practice, it means creating a program that has security controls in place to protect the confidentiality, integrity and availability of data.

Your business and customer data is valuable to cybercriminals who may use it for malicious reasons or personal gain. They could be acting on behalf of the state or an aggressive competitor interested in your trade secrets, technical data or internal communications. Or they may be motivated by money, which they make by selling your customers’ data on the dark web or holding it for ransom. 

Why is Regulatory Compliance Important?

The risk of non-compliance with cybersecurity regulations is too big to take lightly. PCI DDS breaches cost companies a minimum of $5,000 and a maximum of $100,000 per month in fines. Fines per HIPAA violation range from $100 to $50,000. If you do business in California, the state’s data privacy law – California Consumer Privacy Act (CCPA) – will apply to you provided you handle more than 50,000 consumers’ data or have an annual gross revenue of at least $25 million. Under the law, you could be fined up to $7,500 for sharing or processing certain types of employee information without their consent.  

Harsh punitive action apart, the bad publicity that accompanies data breaches can create a trust deficit among customers and make your competitors suddenly look a lot more attractive than you. Intentional or unintentional exposure of your employees’ information due to ineffective controls or training may also cause them distress. 

What Goes Into Maintaining a Strong Compliance Posture?

You’d have to create strong defensive measures for all the places where your data lives, such as systems, networks, smart devices, routers and the cloud. Here’s where industry standards and government regulations on cybersecurity come in. While there are many, not all may apply to your industry. So, the first step in creating a strong compliance posture is to identify the cybersecurity regulations you need to comply with and the cybersecurity frameworks you can adopt to reduce your cybersecurity risk. 

You’ll then have to appoint a person to manage your cybersecurity program and stay updated with compliance requirements. Large organizations have Chief Information Security Officers (CISOs), but in a medium-sized or small company, the IT Manager, CTO or COO performs this role, usually in consultation with a cybersecurity company. 

The individual is in charge of assessing risks and vulnerabilities, and implementing technical controls based on applicable cybersecurity regulations or a cybersecurity framework (e.g NIST, ISO/IEC 27001 or PCI DSS) with added technical controls to meet those regulations. They will also be responsible for implementing, in collaboration with other leaders, non-technical controls such as cybersecurity policies, procedures, audits and training, which are equally important to compliance. 

Cybersecurity requirements change. New threats emerge. The controls you have now may not stack up against new laws and evolving threats. Regularly assessing your security controls is necessary to identify security gaps due to any new risks that have emerged and enforce changes required to continue maintaining a robust compliance posture. If things appear complicated, a cybersecurity company or attorney specializing in cybersecurity compliance will prove to be a valuable ally by providing clarity on laws and recommendations on risk management.

Meeting the CMMC Compliance Challenge Head-On

Meeting the CMMC Compliance Challenge Head-On | Findings.co | Supply chain risk managment

Unless you’re already in business with the US Department of Defense (DoD), you may not have thought much about the Cybersecurity Maturity Model Certification, or CMMC. Until recently, the CMMC was a U.S. federal government compliance framework that only applied to companies who sell to the DoD.

But that changed in late 2020 when the federal government announced all government contractors should begin preparing for CMMC compliance. At the same time, the DoD has embarked on an update of the CMMC rules, adding more complexity to the challenge of complying with CMMC.

Thus, while it was possible to say a year ago that “the CMMC is coming,” we must now recognize that “the future of CMMC is here” already. Compliance strategies that sufficed in the past may no longer be enough. Now is the time to prepare if you plan to do business with U.S. government agencies of any type.

What are the CMMC levels?

As compliance frameworks go, the CMMC is relatively easy to understand. It consists of five main components, known in CMMC parlance as “levels.” Each level defines a set of cybersecurity requirements that businesses must meet.

The nature of the work your business does and the sensitivity of the government data or processes it handles determine which CMMC level you need to comply with. The engagement specifies which compliance level companies need to achieve in order to meet given contract requirements.

Here’s a breakdown of the CMMC, starting with the most basic. Note that the levels are cumulative. Level 2 compliance also requires level 1 compliance, level 3 compliance also implies levels 1 and 2, and so on.

Level 1

Level 1 requires “basic cyber hygiene,” which is defined in the CMMC as adhering to specific procedures that protect against data theft and mitigate the risk of major cyberattacks. However, level 1 doesn’t require businesses to implement these processes in a particular way or to document their compliance. Thus, level 1 compliance is the easiest to achieve.

Level 2

Level 2, which mandates “intermediate cyber hygiene,” includes somewhat more rigid cybersecurity processes and controls than level 1. Importantly, level 2 also requires businesses to establish a consistent, documented set of policies to enforce cybersecurity. You can’t approach cybersecurity in an ad hoc fashion to achieve level 2 compliance.

Level 3

To achieve level 3 compliance, you need not just document a cybersecurity plan but also be able to demonstrate that you are achieving it. In addition, level 3 adds nearly two dozen cybersecurity controls, which are part of the “good cyber hygiene” requirements of the CMMC.

Level 4

Level 4, which requires a “proactive” approach to cybersecurity, mandates that businesses review their cybersecurity practices, identify weaknesses and take steps to correct them — in addition to documenting and demonstrating compliance, as the lower levels require.

Level 5

Level 5, which requires “advanced/proactive” cybersecurity, is the toughest CMMC compliance level to meet. It mandates that businesses do not just review and improve their cybersecurity practices, but also that they optimize them on a proactive basis. The goal is to anticipate and block threats before they materialize.

Here are the CMMC Compliance Requirements: Everything You Need To Know

Preparing for CMMC compliance: Why and how

Given the significant changes that the CMMC is currently undergoing — in terms of both which businesses the rules apply to, and what the rules include — many companies understandably aren’t sure where to start when it comes to preparing for CMMC compliance.

That’s one reason why it’s wise to work with a CMMC consultant, who understands the complexities of the framework and can guide you in establishing a plan to meet them.

Achieving CMMC certification

Even if you don’t need to be CMMC-compliant today, you may in the future if you choose to work with government agencies that adopt the CMMC as a requirement for their contractors.

And beyond compliance itself, CMMC certification is beneficial because it helps you establish a stronger security posture — a critical consideration in a world where cybercrime on your supply chain, email or ransomware attacks, and many other breaches now costs nearly 1 trillion dollars annually or more than 1 percent of global GDP.

End-to-end supply chain security

It’s worth noting, too, that CMMC is only one of the numerous compliance frameworks that are either just coming online or are being overhauled. You’ve probably heard of others, like NIST, CCPA/CPRA, and SHIELD, which also have implications for businesses doing business with other companies or agencies in various industries.

Given all of this change and complexity surrounding compliance, it’s a best practice to build automated compliance controls into your operational pipelines using a tool like Findings. Compliance is only going to grow more complicated over the coming years, which is why it’s critical to identify risks across your entire supply chain — and to prove to your customers that you’re managing risks effectively.


All of the above means that many businesses have a mandate to overhaul their compliance and risk management strategies. Even if the CMMC specifically doesn’t apply to your business, chances are that other new compliance rules will. Bricking risk detection and management into your entire operational pipeline — including your supply chain — is crucial for meeting these new challenges.

          Learn how Findings can help secure your supply chain                              

Start Now For Free

Supply Chain Risk Monitoring as a Service
Join us today
Supply Chain Risk Monitoring as a Service
Join us today

Let's Tackle Compliance Together

Waitlist signup

Welcome to Findings

Let's go over some details to setup your tailor-made account

Please fill your details below and click "Next" to create your account:


$10 / Month
$10 / Month
$25 / Month
Integrated Apps
Join today and scan ALL YOUR VENDORS for FREE*
* FREE VENDOR SCAN for all of your vendors during your first month.
$25 / Month
$200 / Month*
Contact Us
Free vendors scan for 1 month
Findings search engine
Rapid security and compliance profile
Profile/showcase engagements per year
Multi/unlimited showcase use cases
Showcase compliance badge for your website
Best practice self-assessment
1 Findings or 1 BYOC
Assessment response automation
Personalizable, branded security & compliance showcase page
File/evidence repository
Out-of-the-box TPRM
20 vendors +
20 rating scans
50 vendors +
50 rating scans
Priority via Phone / Email
Internal Workflows (SO/BO)
Onboarding and customization account setup
*Price for every 40 engagements
Automate assessment response and showcase your cybersecurity posture
Supply Chain Risk Monitoring as a Service
Join us today

Thank you for signing up!

Supply Chain Risk Monitoring as a Service
Join us today

Thank you for signing up!