Preparing for and completing audits of frameworks and controls requires meticulous planning and execution. ControlMap has upgraded the audit experience in-app to further streamline the process and eliminate more tedious tasks from the to-do list with internal audits, jumpstart expansions, evidence exports, and updated vendor reports.

What’s new?

Internal Audits

MSPs and their clients can now perform an internal audit based on either frameworks or controls. Previously, audits were limited to third-parties, but we’ve provided the ability to perform this internally for a framework or a control set. This offers MSPs and their clients the following benefits:

Complete a thorough self-assessment – MSPs are able to do a self-assessment to allow them to self-attest compliance for certain security standards such as CIS Controls, NIST Cybersecurity Framework (NIST CSF), and GDPR. The internal audit provides a thorough process to ensure no details are missed.

Maximize audit readiness – Prior to a pricey third-party audit, MSPs and their clients are able to perform their own internal audit to benchmark their compliance status. They can identify security or areas for improvement and position themselves for success by addressing key issues before initiating the formal audit. Thorough preparation leads to a streamlined audit that saves the MSP time liaising with the auditor, as well as providing additional evidence or clarity around evidence and controls.

Not every MSP or client requires a third-party audit based on the organization, vertical, and compliance goals. While compliance with a certain standard may be the goal for many businesses, all organizations strive to improve their security operations. An internal audit helps support organizations earlier in their compliance journey to strengthen their security posture by identifying potential gaps and addressing them.

The internal audit feature also allows MSPs and their clients to perform robust self-assessments to ensure they meet the required standards and guidelines of frameworks that rely on self-assessment. It documents evidence of assessment (or audit) history, risks, evidence, and more that can be referenced as required in their industry.

Cross-mapping and Jumpstart Expansion

Many organizations need to satisfy the compliance requirements across multiple frameworks. ControlMap helps streamline the process by cross-mapping frameworks to identify common items required for assessment. Jumpstarts apply matching evidence to other frameworks to reduce the amount of labor. Support for the following jumpstarts is now available:

NYDFS → SOC 2, NIST CSF 2, CIS V8
CIS v8 → ISO 27001 2022, CJIS

Evidence Export

For CMMC compliance audits, auditors require submission of all evidence of compliance. With a single click of a button, ControlMap users can export all evidence required by auditors including:

A logical folder structure that includes all files and metadata;
A spreadsheet with a description of all evidence, including when it was created and by whom.

MSPs no longer have to cobble together and create an audit-friendly file & folder structure anymore – this is all automated to streamline the audit preparation process and remove friction from the audit itself. While developed particularly with CMMC in mind, the evidence export is useful across all compliance frameworks as it creates an evidence record that can be archived and accessed if required.

Vendor Reports

A key piece of compliance is tracking risks associated with vendors that have access to any sensitive information or data. Ad hoc export of vendor data had been possible, but ControlMap has now added the ability to schedule and save vendor reports. These reports are audit-ready making preparation for a third-party audit effortless – no more struggling to format excel sheets or word documents.

Get started now.

Automation is the best friend of an MSP – it eliminates tedious manual work. With the latest enhancements to the audit experience, ControlMap can put hours back in your team’s day. Log in to ControlMap to start enjoying an enhanced audit experience.

ControlMap now supports the NIST AI Risk Management Framework, enabling MSPs to support cybersecurity programs related to AI.

What is NIST AI RMF?

The NIST AI Risk Management Framework (AI RMF) is a security standard developed by the National Institute of Standards and Technology (NIST) to help manage the risk of generative Artificial Intelligence (AI). It was developed through a transparent, collaborative process and released in 2023.

The framework is designed to help organizations involved in the design, development, use, or regulation of AI technologies, to better manage risks associated with AI as well as incorporate trustworthiness into AI products.

NIST AI RMF is intended for voluntary use. It aims to align with and build upon AI risk management efforts already in place.

The benefits of NIST AI RMF

NIST AI RMF aims to help organizations manage risks associated with AI through a proactive and ethical approach. Organizations that implement this framework get the following benefits:

Guidance on AI Governance

The framework offers detailed guidance on establishing robust governance practices for AI deployments. This helps organizations create clear policies and procedures that govern AI use, ensuring compliance with regulatory requirements and alignment with business objectives.

Improved Risk Management

By adopting the NIST AI RMF, organizations can better identify, assess, manage, and monitor risks associated with AI technologies. This structured approach allows for more proactive risk management, reducing the potential for adverse impacts on the organization or any of its stakeholders.

Enhanced Trustworthiness

NIST AI RMF helps organizations ensure their AI systems are reliable and trustworthy by providing a framework that emphasizes accountability, transparency, and the ethical use of AI. This can lead to increased user confidence and a stronger reputation for organizations deploying compliant AI solutions.

Ready to get started?

It’s time for your clients to ensure risks related to their work with AI is minimized. ControlMap Partners can now import the NIST AI RMF framework to their clients’ tenants, cross-map against current frameworks, and get started addressing any gaps. Login to ControlMap to get started on NIST AI RMF now.

For more information or to learn about jumpstarting your own vCISO services with NIST AI RMF, request a demo.

ControlMap now supports the Digital Operational Resilience Act, enabling MSPs to implement cybersecurity programs for financial institutions operating within the European Union.

What is DORA?

The Digital Operational Resilience Act (DORA) is an EU regulation aimed at strengthening the cybersecurity and operational resilience of the financial sector within the European Union. It is critical for financial institutions as it mandates comprehensive management of IT risks, ensuring consistent and robust security practices across the sector to prevent and mitigate cyber incidents.

Before DORA, financial institutions mainly managed risks with the allocation of capital, but they didn’t focus on all aspects of operational strength. After DORA, these institutions need to follow specific rules for protecting against, detection, containment, and recovery capabilities for IT-related incidents. DORA sets specific guidelines for IT risk management, incident reporting, information sharing, digital operational resilience testing, and third-party IT risk management.

The benefits of DORA

DORA is a requirement for financial institutions to be in compliance with EU regulations. Compliance is required to protect financial institutions from regulatory penalties due to non-compliance. Organizations deemed non-compliant may face significant penalties that are imposed on a daily basis to encourage compliance. They may also be subject to a periodic penalty payment of 1% of their average daily global turnover in the preceding year. Outside of financial penalties, non-compliant organizations may be issued termination notices, cease-and-desist orders, and/or public notices.

However, the implementation of DORA also brings benefits that strengthen operations including:

Improved IT Risk Management: DORA establishes comprehensive rules for managing IT risks. Financial institutions are required to identify, assess, and address vulnerabilities more effectively, minimizing the chances of data breaches and system outages.

Enhanced Incident Reporting and Response: DORA mandates standardized processes for reporting IT-related incidents and responding to them. This structured approach helps institutions contain, recover from, and prevent similar incidents, improving their overall cybersecurity posture.

Stronger Third-Party Risk Monitoring: Financial institutions are required to closely monitor all third-party IT providers to reduce the risks associated with outsourcing. By regularly evaluating the resilience of their vendors, institutions can ensure their supply chains remain secure and aligned with regulatory standards.

Ready to get started?

Financial Institutions in the EU are required to be compliant with DORA. ControlMap Partners can now import the DORA framework to their clients’ tenants, cross-map against current frameworks, and get started addressing any gaps to avoid regulatory penalties. Sign to ControlMap to get started on DORA now.

For more information or to learn about jumpstarting your own vCISO services with DORA, request a demo.

Maintaining security to defend against cybersecurity threats is a never-ending process. MSPs have to continually monitor networks, assets, and more for vulnerabilities and close any gaps they find.

Now, there’s an easier way to monitor clients for vulnerabilities. ScalePad has integrated ControlMap with ThreatMate to automate vulnerability & compliance checks required to achieve and maintain compliance.

What can MSPs do with ThreatMate?

ThreatMate is an advanced attack surface management tool designed to monitor and secure networks from various cybersecurity threats. This comprehensive platform scans both external and internal network environments, including behind the firewall, and extends its monitoring capabilities to cloud services like Microsoft O365 and Google Workspace. By leveraging artificial intelligence and machine learning, ThreatMate identifies security exposures and creates targeted mission plans for vulnerability remediation, ensuring a secure cyber environment across all connected devices and endpoints.

MSPs that use ThreatMate achieve the following benefits:

Enhanced Security Capabilities: ThreatMate equips MSPs with powerful tools to detect and respond to vulnerabilities swiftly. This helps MSPs maintain the integrity and security of client data and systems across multiple clients.
Efficient Security Monitoring and Management: ThreatMate automates the monitoring and management of security threats across diverse environments, including internal and external networks, as well as across cloud services like Microsoft O365 and Google Workspace. This allows MSPs to efficiently manage larger volumes of client data and more complex network infrastructures without compromising on security.
Improved Compliance and Risk Management: ThreatMate helps MSPs ensure their clients remain compliant with cybersecurity regulations and standards. This compliance is critical in avoiding financial penalties and loss of client trust due to regulatory infractions.

Why integrate ControlMap with ThreatMate?

Integrating ControlMap and ThreatMate allows for automatic collection of scan results by company and mapping to frameworks. It can be configured to run a scan and update the results weekly for continuous checks and updates.

Collection of evidence – Once you’ve connected ThreatMate to ControlMap, the connection automatically starts collecting the following data from ThreatMate scans on a weekly cadence:

Compliance check results
Companies
Assets
Vulnerabilities
Users

Mapping to frameworks – The collected evidence is then mapped to over 50 security and compliance frameworks, such as SOC 2, ISO 27001, HIPAA, FTC Safeguards, CIS Controls, CMMC, and other frameworks and security standards. Mapping the evidence automatically provides a detailed view of any gaps that need to be addressed.

Ongoing automatic updates – The ControlMap-ThreatMate integration is not simply a one-time check. ControlMap can be configured to regularly sync with ThreatMate to provide up-to-date evidence & vulnerabilities. This will update the evidence based on the current settings, ensuring that your team is aware of any configuration changes, new risks or gaps so you can take remedial action to maintain compliance.

Connecting ControlMap and ThreatMate reduces hours of manual data imports and regular reviews. It automatically retrieves, updates, and stores current evidence required for compliance frameworks so your team can focus on maintaining and improving security.

Ready to get started?

Combine the capabilities of ThreatMate with ControlMap now. Login to your ControlMap instance to get started. For more information or a discussion on how to elevate your compliance operations, request a demo.

ControlMap now supports the NYDFS Cybersecurity Regulation, enabling MSPs to tailor cybersecurity programs for clients operating under the New York State Department of Financial Services jurisdiction.

What is the NYDFS Cybersecurity Regulation?

The New York State Department of Financial Services (NYDFS) Cybersecurity Regulation, known as 23 NYCRR 500, is a cybersecurity framework for financial institutions operating under NYDFS jurisdiction.

Established in March 2017, NYDFS mandates stringent security standards, requiring financial institutions to maintain secure data systems and reduce vulnerabilities. It covers organizations such as banks, insurance companies, credit unions, and their third-party service providers. To be compliant, institutions operating under NYDFS jurisdiction must ensure their cybersecurity practices align with the regulation’s standards.

The benefits of the NYDFS Cybersecurity Regulation?

While the NYDFS Cybersecurity Regulation is a requirement for financial institutions, it does provide further tangible benefits to these organizations. Implementing the framework leads to:

Enhanced security – The regulation’s comprehensive policy requirements strengthen an institution’s cybersecurity posture, reducing the risk of breaches through rigorous protocols and controls.
Improved Risk Management – Regular risk assessments enable proactive risk identification and mitigation
Third-party Risk Reduction – By extending the requirements to third-party providers, the regulation ensures that supply chain risks are identified, managed, and mitigated effectively.

Implementing the NYDFS Cybersecurity Regulation helps financial institutions achieve stronger security and compliance, empowering them to manage risks while building trust with clients.

Ready to get started?

It’s time for your clients under NYDFS jurisdiction to have peace of mind that they are compliant with all regulations. Login to ControlMap to get started on NYDFS now. For more information or to learn about jumpstarting your own vCISO services with NYDFS, join a demo.

At ScalePad, we’re constantly striving to equip our MSP partner community with the tools they need to excel in managing cybersecurity compliance. Today, we’re excited to announce a significant upgrade to our MSP Dashboard, designed to streamline the way MSPs interact with data and assess their client’s compliance status.

Why a new MSP Dashboard?

Our decision to revamp the MSP Dashboard stems from a deep understanding of the challenges faced by MSPs in maintaining compliance across multiple clients. Recognizing the opportunity to enhance the ControlMap MSP dashboard to address these roadblocks, we set out to create a solution that would enable MSPs to monitor client risks more efficiently.

What’s New?

The enhanced MSP Dashboard is more than just a facelift; it represents a fundamental shift in how MSPs interact with compliance data. Here are the highlights:

Intuitive Interface: Say goodbye to the hassle of navigating through multiple tenets to get a clear picture of client compliance data. The revamped dashboard offers a single-pane-of-glass view, consolidating scores and statuses across clients.
New Scoring: With the new interface, MSPs can quickly assess the compliance posture of each client without the need to launch individual portals. “Health” and “Risk” scores provide MSPs with vital insights into their client’s vulnerabilities. A timeline shows the scores across the previous four months, demonstrating progress over time.
Pre-assessments: MSPs can now perform a preliminary risk assessment using 28 templated questions for prospective clients and create a client-facing report. This report can be used for prospecting to get client buy-in prior to clients commiting to starting a full-on compliance program.
Account Management & Customization: Need to add more tenants? No problem. Within the new MSP Dashboard, it’s easy to make modifications to your subscription, allowing you to get started with new clients fast. Plus, you can add your client’s logos to make the interface even more easy to navigate.

What Does This Mean for MSPs?

The enhanced MSP Dashboard isn’t just about improved functionality; it’s about helping our partners to thrive in offering compliance as a service. By providing a centralized hub for monitoring compliance and managing risks and completing pre-assessments for prospecting, we’re arming partners with the tools needed to deliver exceptional service to clients and stay ahead of emerging threats.

Get Started Today!

Ready to experience the future of cybersecurity compliance management? The enhanced MSP Dashboard is now live and available for all MSP partners. Log in today to explore the new features and take your oversight capabilities to the next level.

Stay tuned for more updates and enhancements as we continue to innovate and support our partners in their mission to safeguard digital assets and protect against cyber threats.

Cybersecurity compliance is a moving target, and we’re committed to helping our Partners navigate the complex landscape with confidence. That’s why we’re so excited to share the latest updates to ControlMap, which our development team was hard at work on over March 2024, including an activity log feature, the release of major frameworks, and new integrations.

New for March 2024

Framework releases: NIST CSF 2.0, HIPAA Privacy Rule, Breach Notification Rule
Integrations: Duo Security and Breach Secure Now
Platform Updates: Activity Logs

More details below.

Activity Logs

Many cybersecurity frameworks, including NIST CSF 2.0 and CMMC 2.0, require activities to be tracked throughout the compliance journey. Now, within ControlMap, admins can view “Activity Logs” —a list of actions taken within ControlMap. Tracked activities include actions that are:

CREATED – e.g., an asset
UPDATED – e.g., a status update
IMPORTED – e.g., a framework
DELETED – e.g., a policy

The new Activity Log feature makes it easy to track and manage activity data as part of your compliance efforts.

HIPAA Privacy Rule

This framework provides federal standards to safeguard the privacy of personal health information and gives patients an array of rights concerning that information, including the right to examine and obtain a copy of their health records and to request corrections.

For our Partners who specialize in healthcare this new framework allows them to diversify their HIPAA compliance offering, as well as boost the security of sensitive data.

The HIPAA Privacy Rule gives our healthcare-focused Partners one more advantage in delivering compliance services for their clients.

Breach Notification Rule

HIPAA’s Breach Notification Rule requires covered entities to notify patients when their unsecured protected health information (PHI) is impermissibly used or disclosed — or “breached,” — in a way that compromises the privacy and security of their PHI.

Adding the Breach Notification Rule to ControlMap helps our Partners who specialize in healthcare, allowing them to safeguard their clients’ PHI.

Another win for our Partners who service clients in the healthcare space!

Thinking about offering compliance services?

Join us on this cybersecurity compliance journey as we redefine the standard with MSPs at the forefront. Contact our sales team or book a demo to see how ControlMap guides the lift-off of vCISO services.

Stay tuned for more updates as we continue to drive innovation and support our Partners on their MSP adventure. Check out the ScalePad Community here to track all of our exciting new features and announcements.

Quiz time: What is the biggest security risk for organizations? You guessed it: employees.

Now, there’s an easier way to assess employee risk and map it to your compliance program. ScalePad is excited to unveil the latest integration for ControlMap: Breach Secure Now. This integration brings new insights to MSPs and vCISOs looking to bolster their client’s security posture.

What can MSPs do with Breach Secure Now?

Breach Secure Now provides visibility to training status across clients, MSPs can bolster their client’s cyber resilience. Here are some of the key benefits of leveraging the platform for MSPs:

Reduce risk. Employees are frequently the target of cyberattacks. By implementing a solution to train and monitor employees of clients, Breach Secure Now addresses the biggest vulnerability for most organizations.
Scoring. MSPs can score clients based on the training they have completed, providing the insights needed to address vulnerabilities.
Learn more about how Breach Secure Now can support your MSP here.

Why integrate with Breach Secure Now?

With Breach Secure Now, MSPs can monitor security training within the ControlMap platform and map employee training data directly to compliance controls. This helps MSPs (and their clients) streamline the collection of evidence for audit prep, saving hours of work.

How does this integration work?

This integration is tailored for partners of ControlMap who either currently utilize Breach Secure Now as their access security tool or are seeking to diversify their toolset with Breach Secure Now’s capabilities.

With this integration, ControlMap users gain the ability to seamlessly sync employee training data from Breach Secure Now directly into ControlMap. This includes:

Company data
Users of each company
Training detail of each company’s user

ControlMap connects to Breach Secure Now through public APIs, facilitating smooth data synchronization between the two platforms. MSPs can leverage this integration by having an existing account with Breach Secure Now, enabling ControlMap to pull people and security training data directly into the compliance platform.

Ready to get started?

Combine the capabilities of Breach Secure Now with ControlMap to demystify the relationship between security training and security compliance. Login to your ControlMap instance to get started.

For more information or a discussion on how to elevate your compliance operations, request a demo.

Fact: NIST CSF has been the second-most used framework within ControlMap (just behind CIS Controls). This framework has been a pioneer in security compliance and is frequently the topic of conversation with our partners.

With the introduction of NIST CSF 2.0, MSPs can ensure their clients have a cyber risk mitigation that works for them – regardless of their industry or size.

What is NIST CSF 2.0?

The NIST Cybersecurity Framework (CSF) is a security standard developed by the National Institute of Standards and Technology (NIST) to help organizations manage and improve their cybersecurity posture. It provides a common language to assess and manage an organization’s cybersecurity risk. Over the past decade, NIST CSF has been a widely used framework by MSPs and their clients.

Now, NIST CSF has even more to offer. As the first major update to the framework since 2014, NIST CSF 2.0 takes cybersecurity compliance up a notch. The most notable updates include:

Broader audience

Historically, NIST CSF was an essential framework for critical infrastructure sectors, such as healthcare or financial services. Now, NIST CSF 2.0 caters to a wider range of businesses and has been adapted to support any sector. Revisions to the framework have made it applicable to organizations of any size as well, supporting compliance programs of any maturity level.

New Core Function: Govern

With the addition of a new core function, NIST CSF 2.0 highlights the importance of governance in mitigating cyber risk. Moreover, some outcomes previously listed under the Identify function are now under Govern. Ultimately, this update demonstrates the importance of governance, helping to pair compliance to risk with the highest level of standards.

The Benefits of NIST CSF 2.0

Many of the benefits of NIST CSF apply to NIST CSF 2.0. Here are some of the advantages of implementing NIST CSF 2.0.

Flexibility: NIST CSF 2.0 provides a flexible framework that can be tailored to fit the specific needs and risk profile of an organization. It is useful regardless of the maturity level and technical sophistication of an organization’s security compliance programs. So, it’s a great standard for MSPs to offer their clients across industries.

Educational Resources: Worried that your clients will be overwhelmed by NIST CSF 2.0? Good news! With NIST CSF 2.0, resources are provided to help inform users on how they can achieve the framework’s core outcomes. From Quick Start guides to examples, these resources allow organizations to adopt and manage NIST CSF 2.0 without having to be dedicated cybersecurity experts.

Recognition: In general, NIST CSF has gained widespread recognition and acceptance by security professionals, including MSPs. Adopting NIST CSF 2.0 demonstrates a commitment to cybersecurity best practices and can enhance an organization’s reputation and credibility.

Ready to get started?

It’s time for your clients to have peace of mind. Login to ControlMap to get started on NIST CSF 2.0.

For more information or to learn about jumpstarting your own vCISO services with NIST CSF 2.0, request a demo.