We often hear the word “self-attestation.” But what exactly does it entail, and why do some compliance frameworks base their certification on it? Let’s explore the benefits, challenges, and evolution of self-attestation in frameworks like the Cybersecurity Maturity Model Certification (CMMC) and PCI DSS, where it goes by a different name—self-assessment. Despite the different names, the underlying concept remains consistent: organizations affirming their compliance with specific standards or regulations without external certification.
What is Self-Attestation in Compliance?
Self-attestation in cyber security is the process by which organizations attest to their compliance with specific regulations or standards without third-party verification. It always involves submitting statements or documents affirming adherence to established requirements.
Benefits of Self-Attestation
Self-attestation offers several advantages, including flexibility, cost-effectiveness, and efficiency. Organizations can assess their own compliance, tailor solutions to their unique circumstances, and avoid the delays and expenses associated with third-party audits.
Self-Attestations Required by Various Frameworks
Numerous cybersecurity regulations and frameworks advocate for or mandate self-attestation as part of their compliance measures.
NIST Cybersecurity Framework
This widely adopted framework allows organizations to voluntarily self-attest and implement various controls and safeguards outlined by NIST.
FCC
The FCC recognizes Supplier’s Declaration of Conformity (SDOC), also known as Self Declaration of Conformity, for specific digital devices. The FCC allows suppliers of these devices to certify manufactured equipment through a Declaration of Conformity process. This includes supplying test results from a certified laboratory.
This self-attestation form benefits producers by decreasing costs and time to market while also ensuring high health and safety standards.
CISA Directive
Directives such as Binding Operational Directive 22-01 issued by the Cybersecurity and Infrastructure Security Agency (CISA) require federal agencies to attest their adherence to specific software security standards, particularly those outlined in the NIST Secure Software Development Framework (SSDF).
OMB M-22-09
A memorandum from the federal Office of Management and Budget (OMB), this directive mandates that software providers adhere to secure software development practices outlined in Executive Order 14028. Leveraging NIST definitions and guidance, the memorandum establishes a framework for software providers to certify their compliance with rigorous security standards, bolstering the integrity and trustworthiness of software products in the federal ecosystem.
GDPR
The General Data Protection Regulation (GDPR) does not require self-attestation. However, it requires organizations to demonstrate compliance. Organizations can use codes of conduct and data privacy impact assessments to demonstrate compliance with data privacy standards.
DPF
On July 10, 2023, the European Commission issued an adequacy decision for the EU-US Data Privacy Framework (“DPF”). The adequacy ruling allows U.S. companies that self-certify under DPF to lawfully transmit personal data from the EU to the United States.
The framework requires organizations to self-certify their compliance with its data protection principles based on the GDPR when transferring personal data between the European Union and the United States.
Start Getting Value With
Centraleyes for Free
See for yourself how the Centraleyes platform exceeds anything an old GRC
system does and eliminates the need for manual processes and spreadsheets
to give you immediate value and run a full risk assessment in less than 30 days
Challenges of Self-Attestation
Despite its benefits, self-attestation presents challenges, particularly regarding accuracy, reliability, and accountability. Small organizations specifically may struggle with how to do self-attestation, leading to gaps and inaccuracies in self-attested statements. Also, an obvious drawback is that a lack of third-party verification raises questions about the integrity of cyber security attestations.
Did Self-Attestation Work in the NIST 800-171?
Before CMMC, the DoD enacted DFARS clause 252.204-7012 (2016), which required DoD contractors and subcontractors to implement the security procedures outlined in NIST SP 800-171. However, NIST SP 800-171 compliance was only required to be certified through self-attestation by contractors and subcontractors.
In the summer of 2019, the DoD decided to audit ten contractors with DoD contracts worth $1 million or more to determine their compliance with the procedures stated in NIST SP 800-171. Nine out of ten contractors did not consistently execute DoD-mandated system security safeguards to protect defense information.
Key Issues with Self-Attestation in the DoD Audit:
- Lack of Verification: Self-attestation relied on contractors’ own assertions of compliance without independent verification. This lack of verification allowed some contractors to falsely claim compliance without implementing the necessary cybersecurity controls.
- Inconsistent Compliance: Without standardized assessment processes or third-party validation, the level of compliance varied among contractors. Some may have implemented only superficial or partial compliance measures, while others may have fully adhered to the standards.
- Risk of Non-Compliance: Contractors’ failure to adequately implement cybersecurity controls posed a risk to the security of Controlled Unclassified Information (CUI) and sensitive data handled within the defense contractor ecosystem. Non-compliance with cybersecurity standards could potentially result in data breaches, security incidents, or compromises of national security.
- Trust Issues: Discovering discrepancies between contractors’ self-attestations and their cybersecurity posture eroded trust between the DoD and its contractors. This lack of trust undermined the effectiveness of self-attestation as a mechanism for ensuring cybersecurity compliance.
These dismal findings led to the Cybersecurity Maturity Model Certification (CMMC), which establishes a certification process that ensures contractors comply with cybersecurity controls outlined in NIST 800-171.
The introduction of CMMC addresses the shortcomings of self-attestation by implementing a more rigorous third-party assessment process. CMMC requires certification by Certified Third-Party Assessment Organizations (C3PAOs), which provides independent compliance verification.
The move from self-attestation to third-party assessment reflects a shift towards a more reliable method of ensuring cybersecurity compliance.
Self-Assessment Questionnaire in PCI DSS
Following PCI requirements is not a law per se. The PCI SSC, a coalition of major credit card brands, developed the PCI DSS standard. Law or not, if your company wants to accept credit cards, you must follow the PCI DSS standard, or the credit card companies will refuse to do business with you.
The standard establishes several levels of compliance based on company size and how many transactions you process. The larger your organization, the more stringent compliance requirements you must meet.
Organizations under levels 2, 3, or 4 are not required to undergo an external audit for PCI DSS compliance. Instead, they are required to complete a Self-Assessment Questionnaire (SAQ). SAQs serve as validation tools for merchants and service providers not expected to conduct on-site assessments. Nine different SAQs exist for various merchant environments. Payment brands or acquiring banks must be contacted to determine the appropriateness of an SAQ and which one to use.
The Purpose of an AoC in PCI DSS
The attestation of compliance report within the PCI DSS framework is meant to serve as a documented affirmation by an organization regarding its adherence to PCI DSS standards. After completing the Self-Assessment Questionnaire (SAQ), organizations fill out the corresponding version of the attestation of compliance to attest to the accuracy of their self-assessment and declare their compliance status.
For Level 2-4 merchants, the PCI DSS attestation of compliance holds significant importance, representing a vital document that attests to their compliance status. While these organizations can independently complete the AoC, some may opt for validation or guidance from experienced PCI DSS specialists to ensure meticulous adherence to security standards.
Conversely, Level 1 merchants undergo a more rigorous process where an independent Qualified Security Assessor (QSA) validates their compliance during a comprehensive assessment, culminating in creating a detailed Report on Compliance (RoC). In this scenario, the attestation of the compliance document is derived from the results of the RoC, providing an additional layer of assurance and validation to their compliance status.
Summing it Up
Is this the end of self-attestation? No. Self-attestations continue to help an organization demonstrate compliance in some circumstances.
Their strong points are flexibility and efficiency. However, as we have demonstrated, their efficacy hinges on addressing trust and verification issues. With the advent of automation, there is a growing opportunity to enhance the integrity and effectiveness of self-attestation, ensuring robust compliance with regulatory requirements in an increasingly complex digital landscape.
Start Getting Value With
Centraleyes for Free
See for yourself how the Centraleyes platform exceeds anything an old GRC
system does and eliminates the need for manual processes and spreadsheets
to give you immediate value and run a full risk assessment in less than 30 days