Known more commonly as NIST, the National Institute of Standards and Technology provides cybersecurity frameworks that not only are integral for many government and Department of Defense contracts but are also widely accepted as a solid launch point for most organizations’ cybersecurity efforts. Schellman has been operating in the federal compliance space for years as an accredited FedRAMP 3PAO, and now as a CMMC C3PAO. Over that time, we’ve helped many of our clients decipher the many NIST frameworks as they determined the right direction for them and their environment.

Every so often, a road needs to be repaved.

Think about those a la carte sushi restaurants—the very cool ones with the circulating conveyor belts that let you select different dishes as they suit your fancy. Maybe your go-to is always California rolls, but you spot some delicious-looking Rainbow Rolls so you grab those one time. Or maybe you’re craving a Spicy Tuna roll, so you add that to your plate. Even if sushi is not quite your taste, you’d probably agree that SOC 2 audits are even less appetizing. Aside from the actual, in-depth audit process, they also require you to make a lot of decisions first, and it’s just added stress. That’s why you want to ensure that you take the audit path most helpful to you, and that includes the right criteria. SOC 2 functions a lot like that sushi conveyor belt—you have a lot of potential options. And we don’t just mean the SOC 2 Trust Services Categories (TSCs) that you have to select from to form the basis of your examination. We mean adding what is technically known as additional “subject matter.” For simplicity’s sake, we’ll just refer to it as “additional criteria.”

When it comes to IKEA, we’d all probably agree that the Swedes make some great flat pack furniture that can either upgrade your space or just do in a pinch.