Tier 2 - Accepted Security Frameworks

You can eliminate redundant testing if you can provide the assessor with valid certifications or independently audited framework compliance artifacts. 

Just upload your certification as evidence for the Tier 2 CASA specialist to validate and accelerate your validation process. Here is the list of accepted certifications and frameworks:  

Accepted Frameworks
Description
Want to use it to 
accelerate CASA?
Example Upload

SOC 2

The purpose of the SOC 2 report is to evaluate an organization’s information systems relevant to security, availability, processing integrity, confidentiality, and privacy.

Upload one of the following:

  • Independent audit report

  • Letter of attestation from an independent assessor

Link

NIST 800-53 rev4

NIST 800-53 rev5

A set of security standards that provides a catalog of security and privacy controls for all U.S. federal information systems except those related to national security.

Upload one of the following:

  • Independent audit report

  • Letter of attestation from an independent assessor

 Link

ISO 27002 v2022

Requirements and guidelines that address public cloud PIMS and PII management requirements for both processors and controllers.

Independent assessment report

Link

NIST 800-171A

NIST 800-171A is framework designed to safeguard CUI on the networks of third-party government contractors and subcontractors.

Upload one of the following:

  • Independent audit report

  • Letter of attestation from an independent assessor

Link

NIST 800-172

NIST 800-172 is supplement to NIST Special Publication 800-171.

Upload one of the following:

  • Independent audit report

  • Letter of attestation from an independent assessor

-

ISO 27701 v2019

A global privacy standard that focuses on the collection and processing of personally identifiable information (PII). This standard was developed to help organizations comply with international privacy frameworks and laws.

Upload one of the following:

  • Independent audit report

  • Letter of attestation from an independent assessor

Link

FedRAMP
(all levels)

The Federal Risk and Authorization Management Program (FedRAMP) is a U.S. government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services.

Upload one of the following:

  • Letter of attestation from an accredited FedRAMP 3PAO

  • A screenshot of your product on FedRAMP Marketplace

Link

CIS CSC v8

A set of best-practice cybersecurity standards that provides the baseline configurations to ensure compliance with industry-agreed cybersecurity standards.

Upload one of the following:

  • Screenshot of CIS controls compliance dashboard

  • Self assessment report

  • Independent audit report

Link

IEC 62443-4-2

A set of security standards for the secure development of Industrial Automation and Control Systems (IACS). 

ISASecure Certification

Link

COBIT 2019

Control Objectives for Information and Related Technology (COBIT) is a framework for the governance and management of enterprise information and technology, aimed at the whole enterprise.

COBIT 2019 self-assessment report based on CMMI

-