New Frameworks: CCPA, ISO 27701, & More

Drata Icon Black

by Drata

May 24, 2022
We've added frameworks to the Drata platform including CCPA, ISO 27701, Microsoft SSPA, NIST CSF, NIST 800-171, NIST 800-53, CMMC, and FFIEC.

Security requirements are always evolving and it’s of the utmost importance that we’re equipped to handle those changes for our customers. Our team has been hard at work to expand the available frameworks on the Drata platform. Today we are launching our largest number yet—eight new frameworks! 

Our VP of Product, Brian Elmi, said it best, “Compliance has always been integral to a strong security posture, but it’s quickly becoming mandatory for companies responsible for managing and protecting all sorts of data. This launch marks Drata’s biggest expansion yet, and it’s a reflection of how quickly we’re committed to innovating in order to meet customer needs in real time.”

Read more to learn about each framework we’re launching and if it’s one your company is (or should be!) working towards.


The California Consumer Privacy Act, or CCPA, is known for giving consumers a range of rights over their own personal information and how it’s shared with businesses. 

CCPA ensures that consumers have the right to:

  • Know about the personal information (PI) that a business collects about them and how, why, and who it’s shared with. 

  • Delete PI that has been collected from them (there are exceptions to this provision). 

  • Opt-out of the sale of their PI.

  • Not experience discrimination in the exercise of CCPA rights.

You must be CCPA compliant if you do business in California and:

  • Have a gross annual revenue of over $25 million.

  • Buy, receive, or sell the personal information of 50,000 or more California residents, households, or devices.

  • Derive 50% or more of your annual revenue from selling California residents’ personal information.

Although companies that are GDPR compliant may have an advantage on complying with CCPA, it’s important to note the key differences between the two regulations before making assumptions. 

When trying to manage multiple frameworks, your company needs an efficient way to handle data crossover. Drata has automation capabilities for the overlapping controls with other frameworks like GDPR and CCPA. With control mapping and the Dratameter, your company will be able to visualize framework progress with ease.

ISO 27701

ISO 27701 provides specific requirements and directives for establishing, implementing, and continually maintaining a Privacy Information Management System (PIMS). It expands on the Information Security Management System (ISMS) contained in ISO 27001 to cover the privacy protections required for processing Personally Identifiable Information (PII). 

It was created to provide an international standard for data privacy controls that when coupled with a framework like ISO 27001 and its ISMS, allows organizations to establish secure privacy data management. 

Similar to ISO 27001, ISO 27701 is for private, public, and government organizations that need to take a risk-based approach to processing and storing PII. It’s key to note that an ISO 27701 certification is only available as an extension of an ISO 27001 certification; it cannot be obtained on its own.

Having both ISO 27001 and ISO 27701 certifications means that a data privacy management system is in place. This sets up companies and organizations to ensure compliance with additional data privacy frameworks like CCPA and GDPR.

Companies that are building an advanced security posture from starter frameworks, like ISO 277001 after ISO 27001, can benefit from Drata—a compliance platform with custom control options. With ISO 27701 being a requirement-only framework, Drata makes it simple to manually map framework requirements and our team of past auditors is always available to help you navigate more advanced compliance requirements.

Microsoft SSPA

Microsoft Supplier Security and Privacy Assurance (SSPA) is a corporate program used to render Microsoft’s data processing instructions to their suppliers in the form of the Microsoft Supplier Data Protection Requirements. SSPA works to build compliance with an annual audit cycle.

Any vendor that processes what Microsoft considers as Microsoft Personal Data or Microsoft Confidential Data must be SSPA compliant. 

Microsoft Personal Data includes:

  • Sensitive data (government identifiers, location data, health data, ethnic origin, etc.)

  • Customer content data

  • Captured and generated data

  • Account data

  • End-user pseudonymized information (Identifiers created by Microsoft to identify users of Microsoft products and services)

Microsoft Confidential Data consists of two types, Highly Confidential and Confidential. Highly Confidential Data would include information such as pre-release device marketing materials or unannounced corporate financial data. Confidential Data is considered to be information like documentation for any Microsoft services or products and Microsoft product license keys.

Unlike GDPR or CCPA, this framework is not a law created by a governing body but a requirement by Microsoft from suppliers that process any of the above information. However, if your company is ISO 27001 and ISO 27701 compliant, due to the nature of the data privacy management controls, you may also be on your way to Microsoft SSPA compliance.

As suppliers of Microsoft, many companies that must comply with Microsoft SSPA also use an impressive tech stack. With over 75 app integrations, Drata is ready to seamlessly integrate into your existing tech stack. Read more about how Drata’s integrations can help grow your compliance program.


The National Institute of Standards and Technology is a non-regulatory agency connected with the United States Department of Commerce. They have established the NIST Framework for Improving Critical Infrastructure Cybersecurity or the NIST Cybersecurity Framework (NIST CSF).

NIST CSF organizes basic cybersecurity activities at their highest level that are known as the following functions:

  • Identify

  • Protect

  • Detect

  • Respond

  • Recovery

Each of these functions help agencies manage cybersecurity risks by organizing information, enabling risk management decisions, addressing threats, and learning from previous activities.

NIST CSF compliance is not required by law for all companies in the United States, however, it’s mandatory for all government agencies and their contractors. If your company does business with a government agency—in any capacity—you likely must maintain NIST CSF compliance.

NIST CSF is the foundational framework for a number of others, including NIST SP 800-171 and NIST 800-53. Whether your company has an established security program or is just starting out, Drata’s dedicated team of trusted compliance advisors will guide you through achieving NIST CSF compliance.

NIST SP 800-171

The NIST SP 800-171 or NIST 800-171 is a National Institute of Standards and Technology Special Publication that provides recommended requirements for managing the confidentiality of controlled unclassified information or CUI. This framework is more specific than NIST CSF as it specifically pertains to contractors of U.S. government agencies. Companies that store or process sensitive information that is considered unclassified on behalf of the U.S. government must comply with NIST 800-171.

Organizations that work with U.S. government agencies and may need to be NIST 800-171 compliant include:

  • University or college research departments that use federal data or information.

  • Healthcare data processors.

  • Defense contractors.

  • Research institutes that receive federal funding or grants.

  • Web or communication service providers.

There are 110 security requirements that must be met to be NIST 800-171 compliant. These 110 requirements are grouped into 14 requirement families best related to that security topic. 

Some of these requirement families overlap with the categories of the NIST CSF functions. If your organization is already NIST CSF compliant, you are likely close to achieving NIST 800-171 compliance as well. With the ability to monitor all of your controls in real-time, Drata gives you all the information you need to make any fixes in one easy view.

NIST 800-53

NIST 800-53 is an additional framework created by the National Institute of Standards and Technology to address the increasing technological capabilities of national adversaries. This framework contains control overlaps with NIST CSF and NIST 800-171. 

As with the other NIST frameworks, government agencies and contractors that work with U.S. agencies must comply with these standards.

NIST 800-53 is designed to improve the risk management systems in place for any agency or organization that processes, transmits, or stores information. There are over 900 controls that NIST 800-53 includes leaving organizations to choose the controls that best fit their risk level. 

With NIST 800-53 containing so many controls to choose from, it’s crucial to select a compliance platform that allows manual control mapping and provides custom control options. 


Cybersecurity Maturity Model Certification (CMMC) is a certification for all Department of Defense (DoD) contractors and subcontractors to ensure that their systems are meeting security requirements for safeguarding  controlled unclassified information (CUI).

Companies that are working with the DoD must build a security program that’s compliant with the applicable CMMC level they are working to achieve. Contractors who do not handle information deemed critical to national security (Level 1 and a subset of Level 2) will be required to perform annual self-assessments. Contractors managing information critical to national security (a subset of Level 2) will be required to undergo third-party assessments performed by a CMMC Certified Third Party Assessor Organization. The highest priority, most critical defense programs (Level 3) will require government-led assessments.

 The levels essentially determine the type of information contractors are able to work with given how fortified their security program is. For instance, Level 1 consists of foundational security hygiene while Level 3 requires organizations to have proactive methods in place to detect and mitigate threats prior to them happening. All of the levels build upon one another to achieve the next level. 

Whether you’re looking to obtain a Level 1 or Level 2 certification, Drata gives you the ability to map the controls you need to achieve, monitor, and maintain compliance. Instead of jumping from tool to tool to manage multiple frameworks and regulations, you’ll have a central location with a robust, real-time view of your security posture.


The Federal Financial Institutions Examination Council is responsible for constructing guidelines and practices for financial institutions. 

The FFIEC provides a set of technology standards for online banking that financial institutions must follow. It consists of two parts: Inherent Risk Profile and Cybersecurity Maturity. Cybersecurity Maturity covers five domains:

  • Cyber Risk Management and Oversight

  • Threat Intelligence and Collaboration

  • Cybersecurity Controls

  • External Dependency Management

  • Cyber Incident Management and Response

Any federally supervised financial institution including their holding organizations and subsidiaries, must comply with these FFIEC regulations or potentially face massive fines. 

Within Drata you’ll be able to map FFIEC controls and customize the platform to fit your needs—helping you reach and maintain compliance. Monitor FFIEC and over a dozen more frameworks in a single location. So whether you’re building a more mature security program or trying to lessen the workload on your team, Drata has the tools to achieve both. 

Additional Key Features

Alongside these newly launched frameworks, Drata customers also benefit from many other features including:

  • Dedicated customer success agents to ensure audit readiness.

  • Over 75 integrations to merge seamlessly with your tech stack.

  • A customizable platform to fit your specific compliance needs.

  • A new framework dashboard to easily visualize your framework readiness with our Dratameter.

Whether you’re preparing to build your security program from scratch or optimize it to the highest level, Drata is the compliance automation platform that will save your team hundreds of hours of evidence collection and strengthen your security posture. Schedule a time to talk with our team to be audit-ready at all times.

The Drata Newsletter

Trusted is Drata’s newsletter focused on the world of compliance, security, data privacy, and everything in between.


The Drata Community

Screen Shot 2022-07-13 at 9.45 1
Resources for you
How to Conduct a Business Impact Analysis

How to Conduct a Business Impact Analysis

Drata Series C Blog Hero Image

Announcing Drata’s Series C


What Are Containers? + Why Should You Use Them

Drata Icon Black