Secureframe Launches 12 New Frameworks, Including NIST and CMMC, to Help Customers Enhance Their Security, Privacy and Compliance Posture

  • September 12, 2022

Emily Bonnie

Senior Content Marketing Manager at Secureframe

New NIST SP 800-53, CMMC, NIST 800-171, PCI DSS SAQ-A and -D, NIST Privacy, ISO 27701, NIST CSF, Microsoft SSPA, and MVSP frameworks to help more customers achieve and maintain compliance

SOC 2 and ISO 27001 are trusted frameworks for safeguarding customer and business data for companies across industries and growth stages. Both reports are often required to do business in the United States and internationally, respectively. However, depending on the industries that your organization serves, the geographies where you operate, and the customers with whom you do business, there may be other security, privacy, and compliance frameworks that are required.

That’s why we’re excited to announce Secureframe’s support of new frameworks across federal, payment industry, privacy, commercial, and security best practices alongside our existing support for SOC 2ISO 27001, HIPAA, GDPR, CCPA, and PCI DSS. Combined, Secureframe’s modern, all-in-one governance, risk, and compliance (GRC) platform helps organizations and compliance teams understand requirements, manage controls, streamline workflows, and automate both tasks and evidence collection to achieve and maintain continuous compliance across their business.

Additionally, Secureframe has expanded our SOC 2 offering to now include all 5 available Trust Services Criteria by supporting Processing Integrity and Privacy. 

“Customers praise Secureframe for how we enable them to achieve and maintain the most rigorous global standards, consistently asking us to extend our platform’s capabilities to other security, privacy, and compliance frameworks required in their business,” said Shrav Mehta, founder and CEO, Secureframe. “Today’s announcement on our expansion covering more frameworks is a direct response to customer feedback and the overwhelming success and value customers are achieving with our all-in-one governance, risk, and compliance platform.”

“We were impressed with how quickly and easily Secureframe helped us get audit ready to achieve both SOC 2 and ISO 27001 compliance,” said Yingsong Wang, Information System Security Engineer at Haystack Team Inc. “We're excited that Secureframe has expanded its platform to include more frameworks, including ISO 27701. We're confident Secureframe will continue to help Haystack achieve and maintain continuous compliance with speed and ease."

Read on to learn more about these frameworks and how Secureframe helps you get compliant quickly and easily. If you’re interested in Secureframe’s modern, all-in-one security, privacy, and compliance platform, please schedule a demo.

Federal Frameworks

The National Institute of Standards and Technology (NIST) was founded by Congress in 1901 to improve the industrial competitiveness of the United States. Today, NIST develops many of the frameworks used by government organizations and agencies to manage cybersecurity risk. To do business with government agencies or if a business interacts or stores sensitive government data, then that business needs to be compliant with one or more of these NIST frameworks.

NIST 800-53

The National Institute of Standards and Technology (NIST) 800-53 is a security compliance standard and framework developed by NIST to help federal agencies and their supporting contractors meet the requirements of the Federal Information Security Modernization Act (FISMA). Any organization that works with the federal government or carries federal data is required to comply with NIST 800-53 to maintain the relationship.

NIST 800-53 has a larger volume of controls with more specific and detailed requirements when compared to other frameworks. For example, NIST includes many "organizationally-defined" parameters that are not clear cut, meaning every organization has to define for itself the parameters (i.e. scope and frequency) for the controls in their system security plan (SSP). 

Commercial companies that do not handle federal information or work with federal organizations and agencies commonly use NIST 800-53 as a guide for securing their systems, but they wouldn't necessarily be subject to FISMA.

NIST 800-171

The National Institute of Standards and Technology (NIST) 800-171 is focused on the protection of Controlled Unclassified Information (CUI) that resides in non-federal systems and organizations. The security requirements outlined in NIST 800-171 apply to components of any non-federal system or organization that processes, stores, and/or transmits CUI, or that provides protection for such components.

There is no certification body or official audit to determine a contractor’s adherence to the NIST 800-171 requirements. However, contracted companies that work with the Department of Defense (DoD) are required to undergo NIST 800-171 assessments by a certified entity or cybersecurity partner. Secureframe automates compliance to aid in the audit readiness process, including SSP and Plan of Action and Milestones (POAM) templates and documentation. 


The Cybersecurity Maturity Model Certification (CMMC) is an assessment framework and assessor certification program designed to increase the trust in measures of compliance to a variety of standards published by the National Institute of Standards and Technology (NIST) in accordance with Department of Defense (DoD) standards. Companies that work with or are thinking of working with the DoD in the future need to be CMMC certified.

CMMC organizes NIST security requirements into a set of domains, which map directly to the NIST control families and NIST 800-171 framework. CMMC 2.0 is currently in a transition period during the rulemaking process, which means it is not yet contractually required. The DoD is exploring opportunities to provide incentives for contractors who voluntarily obtain a CMMC certification in the interim period. 

For these federal frameworks, Secureframe automates compliance with monitoring, automated tests, templates for privacy policies and procedures, and everything else an organization needs to achieve NIST 800-53, NIST 800-171, and CMMC compliance. Secureframe's CMMC mappings are based on version 2.0, giving government contractors a head start on future requirements. If you’re interested in Secureframe’s modern, all-in-one security, privacy, and compliance platform for your organization’s federal government compliance needs, please schedule a demo.

Payments Frameworks

The Payment Card Industry Data Security Standard (PCI DSS) is a set of security standards intended to ensure that all companies that process, store, transmit, or impact credit card or cardholder data maintain a secure environment.

PCI DSS Compliance either requires a Level 1 Report on Compliance (RoC) or a Level 2-4 Self Assessment Questionnaire (SAQ). Secureframe already supported helping customers receive a level 1 RoC and now supports SAQ A and SAQ D.


SAQ A is for any eCommerce or mail/telephone order organization where payment cards are not present during the transaction. All cardholder data functions are outsourced to a third-party service provider, and no cardholder data is stored, processed, or transmitted on the merchant’s systems or premises. 

PCI DSS SAQ D (Merchants and Service Providers)

All merchants who don’t fit into another SAQ category will need to complete an SAQ D. All service providers who are eligible to complete an SAQ will also need an SAQ D

For these payment frameworks, Secureframe makes getting and maintaining compliance fast and easy with automatic evidence gathering through integrations, templates for PCI DSS policies and procedures, automated and custom tests, and everything else an organization needs to achieve PCI DSS compliance. If you’re interested in Secureframe’s modern, all-in-one security, privacy, and compliance platform for your organization’s PCI DSS compliance, please schedule a demo.

Privacy Frameworks

With an increasing amount of personal and consumer data being collected by businesses, concerns about the protection and distribution of that data have risen. Secureframe already helps companies get compliant with data privacy laws like HIPAA, GDPR, and CCPA. Now we have added two more frameworks to help enhance your privacy and compliance posture.

NIST Privacy Framework

The National Institute of Standards and Technology (NIST) Privacy Framework was developed by NIST to provide organizations with a framework for communicating and prioritizing their privacy protection activities. It’s a broad framework that is kept up-to-date with technology trends and is agnostic to any particular technology, sector, standard, law, or jurisdiction.

The NIST Privacy Framework was designed to be flexible and usable by any type of organization across the world, regardless of their local laws and regulations. This enables the framework to be adopted quickly, but it also means organizations still need to demonstrate compliance with laws and regulations like GDPR and CCPA if they apply.

ISO 27701

The ISO 27701 standard is part of the ISO 27000 family of standards. While ISO 27001 covers information security, ISO 27701 expands existing information security to cover privacy. As such, ISO 27701 requires the organization to establish, maintain, and continuously improve a privacy information management system (PIMS). Given the rising popularity and interest in data privacy, ISO 27701 was created by taking into consideration existing privacy legal frameworks, including GDPR legal framework requirements. 

ISO 27701 is not a standalone certification but rather an extension of ISO 27001. This is because information security is critical in protecting data, including personal data or personally identifiable information (PII). Organizations that want to complete ISO 27701 must complete ISO 27001 before or at the same time. The ISO 27701 certification will be tied to the ISO 27001 certificate.

Getting compliant with privacy frameworks requires a lot of time and effort to understand the specific controls needed, and writing proper policies and procedures. Secureframe’s platform was purpose-built to help organizations get compliant quickly and securely. Secureframe simplifies compliance with automated and custom tests, templates for privacy policies and procedures, and everything else an organization needs to achieve HIPAA, GDPR, CCPA, NIST Privacy Framework, and ISO 27001 compliance quickly. If you’re interested in Secureframe’s modern, all-in-one security, privacy, and compliance platform, please schedule a demo.

General Information Security Frameworks

There are many frameworks for protecting sensitive data from cyber attacks. Below are additional frameworks that Secureframe supports to help organizations enhance their security, privacy, and compliance posture. One is provided to protect critical infrastructure cybersecurity (NIST CSF), one is company-specific to protect confidential data (Microsoft SSPA), and one is meant to help small businesses set up a reasonable security posture quickly (MVSP).


The National Institute of Standards and Technology Cybersecurity Framework (NIST CSF) was introduced in 2014, and updated with version 1.1 made publicly available on April 16, 2018, to establish shared knowledge and best practices around cybersecurity risk and threats to critical infrastructure. The US National Institute of Standards and Technology partnered with both private sector and government experts to create a framework for critical infrastructure cybersecurity. 

There are a few different types of organizations that may want to implement NIST CSF, including organizations that:

  • Work with the US federal government
  • Work for institutions supported by federal grants
  • Work within the supply chain for a federal agency
  • Any commercial organization that wants to demonstrate a strong security posture

The NIST CSF framework helps assess cybersecurity risk and do a control assessment across an entire organization.

Microsoft SSPA

Microsoft’s Supplier Security and Privacy Assurance (SSPA) program is a set of security and privacy requirements and practices that specifies Data Protection Requirements (“DPR”) that vendors (“suppliers”) that are part of Microsoft’s information supply chain must comply with prior to conducting business with Microsoft. SSPA applies to suppliers that wish to process Microsoft personal or confidential data as part of their vendor relationship with Microsoft. All enrolled suppliers are then required to complete SSPA compliance tasks annually. 


Minimum Viable Secure Product (MVSP) is a minimum security baseline for enterprise-ready products and services. MVSP was developed by industry partners (including but not limited to: Google, Okta, Salesforce, and Slack; Secureframe has joined the MVSP working group and will begin contributing to further developing this framework). Designed with simplicity in mind, the checklist contains only those controls that must, at a minimum, be implemented to ensure a reasonable security posture. 

For these general frameworks, Secureframe automates compliance with monitoring, automated tests, templates for required policies and procedures, and everything else an organization needs to achieve NIST CSF, Microsoft SSPA, and MVSP compliance. If you’re interested in Secureframe’s modern, all-in-one security, privacy, and compliance platform, please schedule a demo.

SOC 2 Privacy and Processing Integrity

Processing Integrity and Privacy are two of the five Trust Services Criteria that make up the SOC 2 standards: 

  • Privacy looks at how an organization's control activities protect customers’ personally identifiable information (PII). It also ensures that a system that uses personal data complies with the AICPA’s Generally Accepted Privacy Principles (GAPP).
  • The Processing Integrity Criteria determine whether a system performs its intended functions without delay, error, omission, or accidental manipulation.

Ready to Get Started?

If you’re interested in Secureframe’s modern, all-in-one security, privacy and compliance platform, please schedule a demo