Compliance Frameworks
Reviewed by James Corbin, CISSP, FedRAMP 3PAO Assessor FedRAMP is the federal government's mandatory authorization program for cloud services. No authorization means no government sales — period. Authorization requires implementing NIST 800-53 controls, passing an independent third-party assessment, and PMO approval. The process takes 12-24 months and costs $500K
Compliance Frameworks
Reviewed by James Corbin, CISSP, CJIS Security Policy Specialist CJIS is the FBI's security standard for protecting criminal justice information — and it is non-negotiable. Every person and system accessing the CJIS network must meet prescriptive requirements for data classification, multifactor authentication, encryption at rest and in transit, network
Compliance Frameworks
Reviewed by Sarah Mitchell, Ed.D., CIPP/US FERPA is education's foundational privacy law, granting students and parents rights to access and correct educational records while restricting disclosure to third parties without consent. It applies to virtually every school receiving federal funding. Unlike HIPAA, FERPA prescribes no specific
Compliance Frameworks
Reviewed by Thomas Reinhardt, CISA, CRISC, Financial Services Compliance Specialist GLBA is federal law requiring every financial institution — banks, insurance companies, credit unions, lenders — to protect customer information through the Safeguards Rule, Privacy Rule, and disposal requirements. The 2023 FTC Safeguards Rule update made requirements significantly stricter, mandating encryption, MFA,
Compliance Frameworks
Reviewed by Danielle Vargas, CIPP/US, CIPM At least twelve US states have enacted comprehensive privacy laws, and that number will reach twenty within two to three years. The laws share a common pattern — consumer rights to access, delete, correct, and opt out — but vary in scope, definitions, timelines, and
Compliance Frameworks
Reviewed by Danielle Vargas, CIPP/US, CIPM All 50 states and DC have data breach notification laws requiring you to notify affected individuals, and often regulators, within specific timeframes after discovering a breach. The laws differ in timing, content, recipient requirements, and penalties — meaning a multi-state breach requires managing multiple
Compliance Frameworks
Reviewed by Danielle Vargas, CIPP/US, CIPP/E, CIPM GDPR applies to any US company processing personal data of EU residents — regardless of where you're located, incorporated, or host servers. Fines reach 4% of global annual revenue or 20 million euros, whichever is higher. Enforcement is active and
Compliance Frameworks
Reviewed by Danielle Vargas, CIPP/US, CIPM CPRA replaced key parts of the original CCPA in 2023, expanding consumer rights, broadening the definition of personal information, and creating a dedicated enforcement agency. Any for-profit business collecting data from California residents is likely in scope. Penalties run $2,500-$7,500
Compliance Frameworks
Reviewed by the Fully Compliance editorial team ISO 27001 certification for a medium-sized organization (100 employees, moderate scope) typically costs $150,000 to $250,000 over three years and takes 18 to 24 months from decision to certificate. Auditor fees are the visible cost, but internal labor is usually the
Compliance Frameworks
Reviewed by Marc Allenby, CISA, CISM, ISO 27001 Lead Auditor ISO 27001 is broader, globally recognized, and covers your entire information security management system. SOC 2 is narrower, US-market dominant, and focuses on controls protecting customer data. Your customer base determines which you need — ask what they require, and the
Compliance Frameworks
Reviewed by the Fully Compliance editorial team ISO 27001 Annex A defines 93 security controls across 14 categories that organizations must address as part of certification. Controls are not checkboxes applied identically to every organization — they are tailored to your risk assessment and scope. The categories span everything from access
Compliance Frameworks
Reviewed by the Fully Compliance editorial team ISO 27001 certification follows a structured path: readiness assessment and gap analysis, remediation, internal audit, Stage 1 readiness review by your certification body, Stage 2 full certification audit, finding remediation, and certificate issuance. The complete journey typically takes 18 to 24 months from