Guided Compliance as a Service (GCaaS)

Our pricing is based on the two key components: number of employees and the level of expert assistance that we provide to your organization. However, in all scenarios, Rizkly customers gain access to the same set of world class cybersecurity compliance software features. We structured it this way so that smaller organizations can access the Rizkly cybersecurity compliance platform along with expert assistance at a cost that makes business sense. Our costs increase with more users and greater IT complexity driving corresponding increases in compute resources and expert assistance time.

Our GCaaS package options bundle expert assistance together with the Rizkly cybersecurity compliance platform. The combination of app and expert for one monthly subscription is the best option for most SMBs. Organizations that already have in-house staff or existing consultants can choose from our “platform only” packages. Either way, Rizkly provides you with a world class platform that makes your cybersecurity compliance initiative effective and efficient.

Regardless of the size of your organization, you get access to all of our powerful cybersecurity compliance features.
Most organizations choose our GCaaS packages which bundle different levels of cybersecurity compliance expert assistance each month.
If you have any questions or you’re ready to purchase, please contact us.

If you’re an advisory firm, MSP or software vendor and would like to learn more about embedded compliance, reseller or referral partnerships, just reach out so we can learn more and tell you about tailored packages that meet your specific situation.

GCaaS Packages	Compass	Scout	vCISO	vTeam
You Already Have Cyber Compliance Experts In House Staff Existing Consultants Just Want the Rizkly Platform
Guide Team Assistance Level E-mail Us When You Need Help! Monthly Check-Ins Quarterly Risk & Compliance Scorecards Annual Compliance Roadmap
Virtual CISO Assistance Level Guide Team PLUS Dedicated Compliance Expert Weekly Progress Check-In Calls Weekly Working Sessions
Managed Outsource Assistance Level Virtual CISO PLUS Weekly Working Sessions Schedule Ah-Hoc Working Sessions Direct Line to Your Cybersecurity Compliance Expert Read the Complete List of Help Our Experts Provide
Monthly Service	Select Employees Below	Select Employees Below	Select Employees Below	Select Employees Below
Projects	Unlimited	Unlimited	Unlimited	Unlimited
A project is the combination of one compliance framework and one system boundary
Active Users	Select Employees Below	Select Employees Below	Select Employees Below	Select Employees Below1
Number of Employees
You Got This! With this minimum level of monthly advisory, Rizkly experts are ready to answer occasional questions regarding compliance requirements or control implementations. Your dedicated advisor can also take a high-level look at documentation and point you to available reference materials where appropriate.
We Got Your Back! Our most popular package. This level of advisory is appropriate for companies who have started their compliance project but need some ongoing guidance to get across the finish line. Typical activities at this level include bi--weekly checkpoints, getting suggestions on specific technical configurations and challenges, reviewing documentation, and keeping management apprised of specific regulatory changes and updates.
Let’s Do This! Your dedicated Advisor is available to do some ‘heavy lifting’ as you look to accelerate your compliance journey. In addition to serving as a SME for your cyber and compliance needs, your Advisor can help develop policies and procedures, review control artifacts, prepare management briefings, and engage with auditors and other stakeholders.
Full Steam Ahead! Your Rizkly advisor can spearhead your compliance efforts and act as your fractional CISO. They can actively guide and oversee your compliance initiative, while at the same time developing required artifacts such as the SSP, policies, procedures and Incident Response plans. We are an active member of your team, and are accountable for the overall success of your compliance program. Once you're feeling good about where things stand, you can ramp down to a lower number of hours.

Guidance & Frameworks	Compass	Guide	vCISO	vTeam
Built-In Guidance & Examples
Compliance Framework Updates & Bulletins
CMMC v2 Level 1-3
NIST 800-171
NIST 800-53
ITAR
SOC2
NERC CIP-013-1
CCPA
GDPR
C-11 - Coming Soon
FedRAMP Li-SaaS, Moderate, OSCAL
HIPAA
ISO27001
PCI-DSS
CCPA
Custom Create Your Own
Continuous Compliance	Compass	Guide	vCISO	vTeam
Executive & Compliance Dashboards
Task Reminder Emails & Alerts
Advanced Task Management & Tracking
POAM & Overdue Items PDF Reports
RizkMap^TM Framework Mapping
RizkMap^TM Common Controls Automation
RizkMap Control Dependency Management
Incident Response Tracking
Risk Register & Reporting
Compliance Project Cloning
Vendor/Supply Chain Compliance
Assessment Questionnaires	Compass	Guide	vCISO	vTeam
Staff Questionnaire
CMMC Self Assessment Guided Questionnaire
Vendor/Stakeholder Questionnaire
Compliance Documentation	Compass	Guide	vCISO	vTeam
Document Library
System Environment & Boundary
Automated SSP Generation & Management
Automated POA&M Generation & Management
FedRAMP SAP, SAR, CRM, Vendor & Inventory Management
Evidence Storage by Control
Custom Create Your Own
Policy Manager
Policy & Procedure Templates
Pre-Mapped Policy Templates
Policy Versioning
Audit Readiness	Compass	Guide	vCISO	vTeam
Control Self Assessment
Assessor/Partner Access & Notes
DFARS 800-171 Scoring
Pre-Audit Artifact Validation
Audit & Certification Expert Facilitation
Accelerated Audit Success w/ Rizkly Audit Prep ^TM
Cyber Awareness	Compass	Guide	vCISO	vTeam
Awareness Users
Cyber Core Training
Create Your Own Training Course
Training & Survey Status Dashboard
Advanced Features	Compass	Guide	vCISO	vTeam
One-Click Data Export
Multi-Factor Authentication
Inherited Controls & Shared Responsibility Tracking
One-Click "800-171" to "CMMC" Migration
Azure AD Authentication
Bring Your Own Storage
Advanced Logging
Evidence API
OSCAL API
On-Premise Deployment	Available	Available	Available	Available
Gov Cloud Infrastructure	Available	Available	Available	Available

What is OSCAL and its role in FedRAMP Automation?uksun2023-08-16T16:05:25+00:00

What is OSCAL and its role in FedRAMP Automation?

By Chor-Ching Fan

FedRAMP automation is on its way. The Open Security Controls Assessment Language (OSCAL) is a machine-readable information exchange format developed by the National Institute of Standards and Technology (NIST) to enable automation of risk management and compliance frameworks based on security controls and functional requirements. OSCAL support the expression of compliance information through XML, JSON and YAML formats. OSCAL was released in June 2021 and is currently in Version 1.1.0 (late July 2023)

The FedRAMP cybersecurity management program is the first key adopter of the OSCAL standard. OSCAL promises to enable FedRAMP automation (and other frameworks that adopt it) improving the efficiency and effectiveness of compliance management by providing a standardized, machine-readable format for capturing and sharing security information. OSCAL automation has the ability to simplify many of the manual tasks involved in compliance including:

Generating security documentation
Assessment plan and results evaluation
Tracking remediation activities
Reporting on compliance status

OSCAL can be used to support a wide range of compliance frameworks, including:

FedRAMP (early adoption in progress)
NIST Cybersecurity Framework (CSF)
ISO/IEC 27001
SOC 2
HIPAA
PCI DSS

FedRAMP automation with OSCAL promises to be significant improvement over previous approaches to compliance automation. As proven by similar information exchange automation initiatives in other industries i.e. ecommerce supply chain documents or financial filing with the SEC, OSCAL should make compliance management be more efficient, more effective, and more scalable.

Here are some of the benefits of using the new OSCAL compliance framework:

Efficiency: OSCAL automation will reduce manual tasks involved in compliance, such as generating security documentation, conducting assessments, and tracking remediation activities. This can save organizations a significant amount of time and money. FedRAMP SSPs can easily run 300+ pages in Microsoft Word. With continual updates and document submissions to the FedRAMP PMO, this task alone will benefit greatly from OSCAL.
Effectiveness: OSCAL provides a standardized, machine-readable format for capturing and sharing security information. This makes it easier to identify, evaluate and determine next steps to remediate key risks for the US government and cloud service providers.
Scalability & Extensibility: OSCAL is a scalable framework that can be used to support a wide range of compliance frameworks. OSCAL is extensible so any user or standards body can leverage the reference models while ensuring it supports the unique elements of their own privacy and security risk program.

Since its 1.0 release in 2021, Rizkly has supported the OSCAL standard with the goal of providing the best software for FedRAMP automation. We love OSCAL and think its great for the cybersecurity compliance world. Companies (CSPs) can import their existing Word SSPs and generate OSCAL with one-click in Rizkly. It will not be practical for most organizations to use XML editors and handcraft OSCAL files each time there are updates or submission requirements. While still in a pre-commercialization status for FedRAMP, we recommend that CSPs explore the transition to OSCAL along with their FedRAMP R4 to R5 gap analysis and planning efforts. If you’re wondering about a FedRAMP R4 vs R5 gap analysis, Rizkly, compliance automation software with dedicated FedRAMP OSCAL compliance experts, is ready to assist…just contact us.

What’s the difference between CMMC and FedRAMP?uksun2023-08-17T17:58:39+00:00

What’s the difference between CMMC and FedRAMP?

By Chor-Ching Fan

As organizations chart their growth through government contracts and assess the cost of cybersecurity compliance initiatives, many wonder “what’s the the difference between CMMC and FedRAMP”? The Cybersecurity Maturity Model Certification (CMMC) and the Federal Risk and Authorization Management Program (FedRAMP) are two different compliance frameworks that organizations must follow if they want to work with the US government.

CMMC is a comprehensive framework designed to protect the defense industrial base’s (DIB) sensitive unclassified information. While it started with five levels of maturity, the latest version of the CMMC 2.0 framework includes 3 levels and tracks very closely with the NIST 800-171 control framework. All DoD contractors will need to achieve at least Level 1 (based on the sensitivity level of the information handled by the contractor) in order to keep and/or win new work with the DoD

FedRAMP is a cybersecurity framework that focuses on the security of cloud service providers (CSPs) doing business with the US federal government. There are two approaches to achieving FedRAMP Authorization, a provisional authorization through the Joint Authorization Board (JAB) or an authorization through a specific government agency sponsor. The JAB is the primary governing body for FedRAMP and includes representation from the Department of Defense (DoD), Department of Homeland Security (DHS), and General Services Administration (GSA). There are four different control baselines that support the different FedRAMP authorization impact levels.

	CMMC	FedRAMP
Purpose	Assesses and enhance the cybersecurity maturity of all contractors working with the DoD	Focuses on the security of cloud service providers serving federal agencies
Certification/Authorization Levels	3	4
Minimum Level Required for Work Contracts	Level 1 (once CMMC is finalized)	Authorized at applicable impact level
Levels and Control Scope	CMMC Level 1: 15 controls CMMC Level 2: 110 controls CMMC Level 3: 134 controls	LI-SaaS (Low Impact SaaS): 37-57 controls Low: 125 controls Moderate: 325 controls High impact: 421 controls
Applicability	Applies to all contractors that work with the DoD	Applies to cloud service providers (CSPs) that work with US government agencies

CMMC vs FedRAMP

CSPs must achieve Authorized status in order to provide services to US government agencies. Soon, DoD contractors will need to achieve at least CMMC Level 1 status before winning new contracts.

In general, FedRAMP is a more comprehensive framework than CMMC. FedRAMP requires organizations to enhance process maturity and capabilities across a wider range of topics dealing with data, network, staff, physical building and vendor security. Here are additional considerations to keep in mind regarding CMMC and FedRAMP compliance:

CMMC has been in development for the past few years and is now (2023) nearing finalization.
FedRAMP is a mature framework (based on NIST 800-53) that has been in place for over a decade (2011). We view it as the high bar for cloud cybersecurity compliance.
Both CMMC and FedRAMP are constantly evolving. The DoD, FedRAMP PMO and NIST are constantly updating the requirements to reflect the latest cybersecurity threats.
Compliance with CMMC and FedRAMP can be a complex and expensive process, especially for SMBs. Rizkly helps SMBs consider their needs and regulatory requirements and offers an effective and efficient solution for achieving and sustaining improved cybersecurity posture and compliance.

Do you perform system remediation work?admin2022-05-19T02:00:44+00:00

Do you perform system remediation work?

Rizkly experts will advise, guide and review hardware and software technology changes to ensure that they address specific compliance controls but we do not perform the actual implementation work. Over the years, we have a developed a trusted ecosystem of partners who offer effective and affordable solutions to expedite remediation of security and compliance gaps. We will gladly refer you to appropriate partners if and when the need arises. Creating policies, procedures and other artifacts are also a key part of compliance remediation efforts and these are activities that our advisors do perform using powerful Rizkly features for policies and procedures.

A description of the services that Rizkly expert advisors provide?admin2022-05-19T01:37:42+00:00

A description of the services that Rizkly expert advisors provide?

Rizkly cybersecurity compliance advisors will work with you through the entire lifecycle of your compliance initiative. We will scale up/down depending on specific need, and we co-create our involvement in the early stages of the project. Typical project activities include:

Gain an understanding of your business, your clients, your system(s), and your anticipated compliance requirements
Educate your team members on compliance requirements, how to leverage the Rizkly app and what will be expected throughout the effort
Develop the system ‘boundary’, and what will be in scope for compliance purposes
Draft a system architecture diagram that clearly depicts the system boundary
Review existing documentation and work with your team members to understand system and process specifics
Perform a high level gap assessment to determine what controls are in place and operating effectively, and where there are gaps
For each gap determine a detailed plan of action to remediate
Collaborate as needed with personnel (staff and/or your vendors) during remediation.
Provide advisory support, develop documentation, design controls, review evidence, audit prep, etc.
Ensure that all artifacts and control implementation statements are effectively captured in Rizkly
Educate your team on how to leverage Rizkly to generate audit-ready documentation such as SSPs, POAM reports and SPRS scoring
Post-remediation ensure that all controls are in place and operating effectively