Rizkly Product Overview

Compliance is continuous,  Rizkly helps you keep it up…efficiently and effectively.

SaaS App

vCISO/vCO Expert Advisory

  • Simple App for Cybersecurity and Compliance Management

  • Dashboard & Alerts

  • Custom or Standard Compliance Checklists

  • Secure Document Repository

  • Audit-Ready Documents

  • Supplier and Consultant Login Access

  • Dedicated vCO/vCISO Certified in Your Compliance Framework 

  • Conducts Your Initial Cyber or Gap Assessment 

  • Regular Meetings and Ad-Hoc Assistance 

  • Compliance Bulletins Relevant to Your Business

  • Quarterly Reviews with Your Rizkly CISO

  • Add Advisor Time to Any Platform Subscription

Cyber Compliance Platform 

Streamline and Automate Compliance Operations

Quick Start

Secure, cloud-based application: not software or hardware to install


No Setup

  • Secure, cloud-based app with dedicated advisor; get up & running in in a day
  • Designate employees, advisors and subcontractors with secure role-based access

Dashboards & Alerts

Visualize compliance status, overdue actions and drill down to specific tasks


Dashboards & Alerts

  • Visualize compliance status, overdue actions with the ability to drill down to specific tasks
  • Provides insights and confidence in your company’s security and compliance posture

Collaborative Compliance

Staff, vendors and your expert advisor all connect with Rizkly


Achieve Compliance Online

  • Coordinate compliance activities across distributed teams including vendors and consultants
  • Assign and track control ownership, evidence collection and due dates
  • Message or call your Rizkly expert advisor when help is needed

Evidence Collection

Systematically collect and track evidence as required for compliance


Evidence Collection

  • Attach evidence to control items
  • Alert owners when it’s time to attach evidence
  • Option to require approval for attached evidence
  • Give assessors/partners securely view evidence

Compliance Shared Responsibility Tracking

Shared Responsibility

Systematically track shared responsibilities to achieve their benefits


Shared Responsibility

  • Identify shared responsibility for each control
  • Preloaded service offerings from AWS and Azure
  • Add your own vendors for inherited controls
  • Generate shared responsibility matrix

Customizable Projects

Use included standards templates or create your own


Customizable Projects

  • Use included regulatory frameworks or your own
  • Organize management of controls and ownership
  • Save time with expert guidance from Rizkly experts

Broadcast Controls

Simplify efforts with control items that automatically update related controls


Automation for Mapped Controls

  • Eliminate redundant work to satisfy similar controls across multiple projects
  • Streamlines reporting and increases audit success

Data Import & Export

Import & export policy and procedure information into Rizkly


Data Import & Export

  • Customers using a wiki or spreadsheets can quickly import existing compliance data in Rizkly
  • We help GRC platform customers with a smooth migration to Rizkly

OSCAL 1.0 Ready

Support for NIST standards for automated assessment


Compliance Innovation

  • XML/JSON API for data feed
  • Secure assessment & reporting with 3rd parties

Incident Response for Compliance

Incident Response

Document, track and report incident response to enhance cyber posture and meet compliance regulatory requirements.Read more...

Document Incident Response

  • Incident details with initial reporting, sequence of events, mitigation & documentation
  • Address reporting and compliance requirements
  • Apply your own formatting

Security & Confidence

Confidently empower employees, advisors and vendors to achieve your compliance.


Security & Confidence

  • Secure web access for internal and external users
  • Configure projects according to the structure of your organization
  • Restrict data  and functionality based on roles

 Standards & Expert Advisory

Your Expert Compliance Guide

One of the key benefits of Rizkly is expert advisory when you need itRead more...

Expert Advisory

  • Initial gap assessment
  • Policy & procedures assistance
  • Remediation and control implementation
  • Artifact review and audit preparation

Compliance Bulletins

Avoid the hassle and cost of keeping track of changing compliance standards


Compliance Bulletins

  • Avoid the hassle and cost of keeping track of changing compliance standards
  • Rizkly experts help you maintain a healthy security and compliance posture
  • Receive security and compliance actions tailored to your business

Compliance Frameworks

Complete support for industry frameworks i.e. NIST 800-171, SOC, CSF, ISO & CCPA


Comprehensive Support

  • Updated control libraries covering all industry-mandated requirements (NIST, FISMA, HIPAA, GDPR, CCPA, SOC, PCI, etc.)
  • Upload and customize your own requirements
  • Reference information and expert guidance for each control

vCO and vCISO

Certified Rizkly experts are here to ensure you successfully achieve and demonstrate security and compliance


vCO and vCISO

  • Answer questions on regulatory requirements
  • Preparation and support for navigating external audits
  • Quarterly cybersecurity and compliance reviews with leadership team

Comprehensive CMMC Support

Rizkly make your preparation efforts with the CMMC requirements faster and easier


More Efficient CMMC Success

  • Complete coverage for existing and proposed CMMC 2.0 requirements (domains, practices, referenced controls, process maturity, interim rule scoring) for Level 1 thru 3
  • Leverage existing control information from 800-171, ISO, SOC, etc. to quickstart CMMC efforts
  • Roll out assessments, including the new DFARS scoring requirements, across the organization or across suppliers/partners

Pre-Mapped Frameworks

With all of the major frameworks pre-mapped, you can reduce work while knowing that you're taking care of both projects


Don't Do Double Work

  • Out-of-the box mapping between the controls of any two frameworks
  • Rizkly expert advisors work with you to fine tune mappings based on your specific environment/situation
  • Ability to specify primary and secondary source controls mappings

Common Core Controls

Achieve compliance with multiple frameworks your way.


Achieve Compliance at Scale

  • Implement a master set of common controls that map to multiple frameworks
  • Get details on source and target controls across each project and make rapid adjustments to mappings
  • Quickly see where you stand in terms of achieving compliance with other frameworks

Demonstrate Compliance & Achieve Certification

Audit Document Generation

One-click creation of System Security (SSP) and Remediation (POA&M) plans

Read more

Audit Document Generation

  • Generate SSP and POA&Ms in seconds
  • One-click creation of audit-ready documentation
  • Save time & money while meeting audit requirements

Gap & Assessment Reports

One-click creation of reports that show gaps and weaknesses

Read more

Quickly Generate To-Do Lists

  • Generate SSP and POA&Ms in seconds
  • One-click creation of audit-ready documentation
  • Save time & money while meeting audit requirements

Manage Assessment Findings

Tie remediation activities to identified gaps and weaknesses to prioritize improvements.

Read more

Achieve Remediation Accountability

  • Assessment findings have unique identifiers
  • Associate action items with assessment findings
  • Quickly prioritize and track remediation owners & status

Supply Chain Compliance

Streamline compliance initiatives with vendors, assessors and partners


Supply Chain Compliance

  • Enforce vendor/supplier compliance requirements with Rizkly
  • Assign controls and easily track compliance with many vendors/suppliers
  • Spot and view risks for a single vendor or across all vendors in aggregate

Policies & Procedures

Templates are just the beginning, Rizkly is the easy and fast way your set of audit-ready set of policies & procedures


Policies & Procedures

  • Policy and procedure templates
  • Online editing or link to your existing docs
  • Version management with approvals
  • Option for mapping to specific controls

Compliance Risk Register

Manage & Track Risks

Document risks, mitigating actions and establish priorities...all in one place.

Read more

Manage & Track Risks

  • Perform cybersecurity risk management
  • Associate risks with compliance controls
  • Score risks and generate reports for management visibility

Document Library

Organize compliance documents and evidence in one secure, cloud-based library


Document Library

  • Secure, cloud-based storage
  • Role and user-based access controls
  • Project-specific or custom folders
  • Single location for organizing and access compliance documentation


Stay on top of updates to policy & controls with easy access to a list of changes



  • Easy tracking for all changes to any compliance project in Rizkly
  • See who did what and when they did it
  • Streamline large projects where multiple users/parties are involved

For Advisor & Training Partners

Training & Testing

Quickly roll-out and track cyber & compliance training online

Read more

Train & Track It Faster

  • Cybersecurity and compliance training for staff, contractors and partners
  • Create and deliver tests
  • Use our content or upload your own
  • Easy tracking of who’s completed and who hasn’t

Online Assessment

Ascertain maturity and risk in a holistic, secure and efficient manner


Baseline & Benchmark Efficiently

  • Survey and document locations, environments or gauge risk
  • Use included assessments or develop and customize your own
  • AI or advisor-based recommendations based on assessment results

White Label Customization

We provide modern technology that helps advisors grow their business.


Scale Business with Cybersecurity Compliance Technology

  • Tailor logo and colors for your customers
  • Add your own policy and procedure templates and guidance
  • Add custom guidance that only your customers see

Rizkly Datasheet  

Learn more about why we created Rizkly and how customers quickly
launch towards improved cybersecurity using our platform and experts. 

What is OSCAL and its role in FedRAMP Automation?2023-08-16T16:05:25+00:00

By Chor-Ching Fan

FedRAMP automation is on its way.  The Open Security Controls Assessment Language (OSCAL) is a machine-readable information exchange format developed by the National Institute of Standards and Technology (NIST) to enable automation of risk management and compliance frameworks based on security controls and functional requirements. OSCAL support the expression of compliance information through XML, JSON and YAML formats.  OSCAL was released in June 2021 and is currently in Version 1.1.0 (late July 2023)

The FedRAMP cybersecurity management program is the first key adopter of the OSCAL standard.  OSCAL promises to enable FedRAMP automation (and other frameworks that adopt it) improving the efficiency and effectiveness of compliance management by providing a standardized, machine-readable format for capturing and sharing security information.  OSCAL automation has the ability to simplify many of the manual tasks involved in compliance including:

  • Generating security documentation
  • Assessment plan and results evaluation
  • Tracking remediation activities
  • Reporting on compliance status

OSCAL can be used to support a wide range of compliance frameworks, including:

  • FedRAMP (early adoption in progress)
  • NIST Cybersecurity Framework (CSF)
  • ISO/IEC 27001
  • SOC 2

FedRAMP automation with OSCAL promises to be significant improvement over previous approaches to compliance automation.  As proven by similar information exchange automation initiatives in other industries i.e. ecommerce supply chain documents or financial filing with the SEC,  OSCAL should make compliance management be more efficient, more effective, and more scalable.

Here are some of the benefits of using the new OSCAL compliance framework:

  • Efficiency: OSCAL automation will reduce manual tasks involved in compliance, such as generating security documentation, conducting assessments, and tracking remediation activities. This can save organizations a significant amount of time and money.  FedRAMP SSPs can easily run 300+ pages in Microsoft Word.  With continual updates and document submissions to the FedRAMP PMO,  this task alone will benefit greatly from OSCAL.
  • Effectiveness: OSCAL provides a standardized, machine-readable format for capturing and sharing security information. This makes it easier to identify, evaluate and determine next steps to remediate key risks for the US government and cloud service providers.
  • Scalability & Extensibility: OSCAL is a scalable framework that can be used to support a wide range of compliance frameworks.  OSCAL is extensible so any user or standards body can leverage the reference models while ensuring it supports the unique elements of their own privacy and security risk program.

Since its 1.0 release in 2021,  Rizkly has supported the OSCAL standard with the goal of providing the best software for FedRAMP automation.  We love OSCAL and think its great for the cybersecurity compliance world.  Companies (CSPs) can import their existing Word SSPs and generate OSCAL with one-click in Rizkly.  It will not be practical for most organizations to use XML editors and handcraft OSCAL files each time there are updates or submission requirements.  While still in a pre-commercialization status for FedRAMP,  we recommend that CSPs explore the transition to OSCAL along with their FedRAMP R4 to R5 gap analysis and planning efforts. If you’re wondering about a FedRAMP R4 vs R5 gap analysis,  Rizkly, compliance automation software with dedicated FedRAMP OSCAL compliance experts, is ready to assist…just contact us.

What’s the difference between CMMC and FedRAMP?2023-08-17T17:58:39+00:00

By Chor-Ching Fan

As organizations chart their growth through government contracts and assess the cost of cybersecurity compliance initiatives,  many wonder “what’s the the difference between CMMC and FedRAMP”?  The Cybersecurity Maturity Model Certification (CMMC) and the Federal Risk and Authorization Management Program (FedRAMP) are two different compliance frameworks that organizations must follow if they want to work with the US government.

CMMC is a comprehensive framework designed to protect the defense industrial base’s (DIB) sensitive unclassified information.  While it started with five levels of maturity, the latest version of the CMMC 2.0 framework includes 3 levels and tracks very closely with the NIST 800-171 control framework.  All DoD contractors will need to achieve at least Level 1 (based on the sensitivity level of the information handled by the contractor) in order to keep and/or win new work with the DoD

FedRAMP is a cybersecurity framework that focuses on the security of cloud service providers (CSPs) doing business with the US federal government. There are two approaches to achieving FedRAMP Authorization, a provisional authorization through the Joint Authorization Board (JAB) or an authorization through a specific government agency sponsor. The JAB is the primary governing body for FedRAMP and includes representation from the Department of Defense (DoD), Department of Homeland Security (DHS), and General Services Administration (GSA). There are four different control baselines that support the different FedRAMP authorization impact levels.

Purpose Assesses and enhance the cybersecurity maturity of  all contractors working with the DoD Focuses on the security of cloud service providers serving federal agencies
Certification/Authorization Levels 3 4
Minimum Level Required for Work Contracts Level 1 (once CMMC is finalized) Authorized at applicable impact level
Levels and Control Scope
  • CMMC Level 1: 15 controls
  • CMMC Level 2: 110 controls
  • CMMC Level 3: 134 controls
  • LI-SaaS (Low Impact SaaS): 37-57 controls
  • Low: 125 controls
  • Moderate: 325 controls
  • High impact: 421 controls
Applicability Applies to all contractors that work with the DoD Applies to cloud service providers (CSPs) that work with US government agencies


CSPs must achieve Authorized status in order to provide services to US government agencies.  Soon,  DoD contractors will need to achieve at least CMMC Level 1 status before winning new contracts.

In general, FedRAMP is a more comprehensive framework than CMMC. FedRAMP requires organizations to enhance process maturity and capabilities across a wider range of topics dealing with data, network, staff, physical building and vendor security.  Here are additional considerations to keep in mind regarding CMMC and FedRAMP compliance:

  • CMMC has been in development for the past few years and is now (2023) nearing finalization.
  • FedRAMP is a mature framework (based on NIST 800-53) that has been in place for over a decade (2011).  We view it as the high bar for cloud cybersecurity compliance.
  • Both CMMC and FedRAMP are constantly evolving. The DoD, FedRAMP PMO and NIST are constantly updating the requirements to reflect the latest cybersecurity threats.
  • Compliance with CMMC and FedRAMP can be a complex and expensive process, especially for SMBs.  Rizkly helps SMBs consider their needs and regulatory requirements and offers an effective and efficient solution for achieving and sustaining improved cybersecurity posture and compliance.
Do you perform system remediation work?2022-05-19T02:00:44+00:00

Rizkly experts will advise, guide and review hardware and software technology changes to ensure that they address specific compliance controls but we do not perform the actual implementation work.  Over the years, we have a developed a trusted ecosystem of partners who offer effective and affordable solutions to expedite remediation of security and compliance gaps.  We will gladly refer you to appropriate partners if and when the need arises.   Creating policies,  procedures and other artifacts are also a key part of compliance remediation efforts and these are activities that our advisors do perform using powerful Rizkly features for policies and procedures.

A description of the services that Rizkly expert advisors provide?2022-05-19T01:37:42+00:00

Rizkly cybersecurity compliance advisors will work with you through the entire lifecycle of your compliance initiative.  We will scale up/down depending on specific need, and we co-create our involvement in the early stages of the project.  Typical project activities include:

  • Gain an understanding of your business, your clients, your system(s), and your anticipated compliance requirements
  • Educate your team members on compliance requirements, how to leverage the Rizkly app and what will be expected throughout the effort 
  • Develop the system ‘boundary’, and what will be in scope for compliance purposes
  • Draft a system architecture diagram that clearly depicts the system boundary
  • Review existing documentation and work with your team members to understand system and process specifics
  • Perform a high level gap assessment to determine what controls are in place and operating effectively, and where there are gaps
  • For each gap determine a detailed plan of action to remediate
  • Collaborate as needed with personnel (staff and/or your vendors) during remediation. 
  • Provide advisory support, develop documentation, design controls, review evidence, audit prep, etc.
  • Ensure that all artifacts and control implementation statements are effectively captured in Rizkly
  • Educate your team on how to leverage Rizkly to generate audit-ready documentation such as SSPs, POAM reports and SPRS scoring
  • Post-remediation ensure that all controls are in place and operating effectively


Go to Top